An Insider’s Look at the Changes Coming in ISO 13485:2016 with Mark Swanson, a Member of the Standard's Working Group

January 18, 2016

podcast_mark swanson

Did you know ISO 13485 has been revised and approved in 2016?

The quality management standard we’ve all grown to know is now being updated, and we’ll explain more on this episode of the Global Medical Device podcast.

Today we’re joined by special guest, Mark Swanson. In addition to being a consultant for H&M Consulting Group, Mark has spent the last 4 years on the working group that wrote the new ISO 13485:2016.

He knows all the insider details, and in addition to this podcast we’re doing a detailed webinar with Mark on the changes to ISO 13485:2016 and all the things you need to know it as the standard becomes live.

You can sign up for the free webinar here.


Listen Now:


Like this episode? Subscribe today on iTunes or Spotify.


Mark advises companies on quality management systems and business practices, and specifically he advises quality managers and other senior management in meeting industry standards and regulations for medical devices as well as general ISO management requirements. Be sure to check out Mark’s consulting group here.

In this episode, Mark tells us the next steps to making the updated ISO 13485 an official published standard. It's important to have some solid info about the changes that are coming so people can get prepared and know the “why’s” about everything it brings. It’s been in the making for 4 years, so we’re obviously expecting this to be the best yet.

Today you’ll be learning the single biggest change that people need to know about the new ISO 13485, and why it’s so important for global medical device companies to understand the topic of risk management as it applies to the updated standard.

When it comes to ISO 9001:2015, there are no conflict or competing requirements between the two standards. Both ISO 9001:2015 and ISO 13485:2016 have the right hooks to hang additional requirements off of or whatever is necessary within the regulated environment to continue being consistent. They’ve truly been consistent with what the true requirements are.

This new ISO 13485 is going to change the way medical device companies think and build products forever. We talk about controlling your processes, the things you need to know from a supplier control standpoint, its differences in structure, and what the timeline is for adoption.

Essentially, we tell you all the things you need to know before making the switch.

To get in touch with Mark, you can check out his website at, feel free to shoot him an e-mail at, or give him a call at (763) 234-0727.

In just a few short weeks we’re going to be hosting a webinar with Mark on Feb 9th, 2016 at 1:00pm EST, where we’ll go further in depth on all the topics we’re discussed today and the changes to ISO 13485 you need to be prepared for.

You can sign up for the free webinar using this link.

New Call-to-action


Announcer: Welcome to the Global Medical Device podcast where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge, direct from some of the world's leading medical device experts and companies.

Jon Speer: Did you know that ISO 13485 has been revised and approved in 2016? And it's gonna be published later this month? Yeah, that's right ladies and gentlemen, ISO 13485, that quality management system we all have grown to love is now being updated. And that is why you need to listen to this episode of the Global Medical Device podcast.

Jon Speer: Hello this is Jon Speer, Founder and VP of Quality and Regulatory at and today I have a special guest, Mark Swanson. Mark was part of the working group that wrote the standard, so he knows all the insider details. Oh, and I know this podcast is gonna be helpful for you all, but we're also doing a detailed webinar with Mark Swanson on ISO 13485:2016 and all the things that you need to know about as the standard becomes live. And that webinar is gonna take place on February 9, 2016 at 1:00 PM Eastern Time. So be sure to contact us to learn more and get signed up for that webinar.

Jon Speer: Hello, this is Jon Speer, the Founder and VP of Quality and Regulatory at and welcome to this exciting edition of the Global Medical Device podcast. Folks, we manage to find the best people in this industry and bring them to this podcast time after time, and today is no exception. Today, we have Mark Swanson. Mark is a freelance consultant with H&M Consulting Group. You can find Mark's consulting group at And with H&M Consulting Group, Mark advises companies in quality management systems and business practices. Specifically, Mark advises quality managers and other senior management in meeting industry standards and regulations for medical devices, as well as general ISO management requirements. Mark, welcome to the Global Medical Device podcast.

Mark Swanson: Thanks Jon. I love the build-up. It's awesome to be with you here today.

Jon Speer: Yeah, well I'm glad that you're with us and of course we're gonna learn a lot about, a little bit about your consulting practice. I also heard through the grapevine that you know a little bit about ISO 13485.

Mark Swanson: Yeah, you heard that a little through the grapevine. Yeah, I've been with the working group. Well, it's been almost four years now that we've been working on the changes coming that are hopefully, be published here in the next few weeks.

Jon Speer: That's exciting, so catch us up on that. So if I remember the last thing that I saw is ISO 13485 can officially be called 13485:2016. I think I saw that's approved, and tell us sort of the next steps to making that an official published standard.

Mark Swanson: Yeah, so the FDIS ballot came back approved on December 29. The next moves to publication are simply addressing the editorial comments that can be addressed. And those actually were sent in yesterday on Monday to ISO. Now they're gonna go through their formal steps of publication, making those editorial changes and should be just a few weeks before we see the standard being published by ISO.

Jon Speer: That's awesome. So four years, that really puts things in perspective. I think that the current version of 13485 was published in 2003.

Mark Swanson: Yep.

Jon Speer: And obviously that worked just fine for companies. Still works for many companies today, and so to know that this next version has been in the works for four years, that sounds like a time-consuming endeavor.

Mark Swanson: It has been time consuming, and our natural conservative nature I think sometimes it gets the best of us in med device of course, and just trying to move these things through the step. People talk about watching the grass growing, talk about a standard being put together.

Jon Speer: Yeah. Well, you and I chatted the other day and one of the things that we're certainly gonna work with you on and be presenting to the audience listening today, is you're gonna do a webinar for us on some of the specific changes of ISO 13485:2016.

Mark Swanson: You bet. Here, as everybody gets ready for this changeover and looking towards certification to the new version of the standard, I think it's important to have some of the solid info out there about the changes that are coming so that people can get prepared and have all of the detailed information of why we're... Why, what's there is there.

Jon Speer: Alright. So today what I'd like to do with you is I've got a... I've prepared a couple of questions for you and we're gonna stay fairly high-level today, but at least give some perspective on what medical device companies can expect in this new version of 13485. So the first question I'm gonna throw at you and it's a bit of a doozy, so we'll do our best to get answers to these questions, but the first question is, in your opinion, what is the biggest, single biggest change that medical device companies need to know about ISO 13485:2016?

Mark Swanson: And Jon you giggled about this, kind of a doozy. Of course, that's the million dollar question, right? What's the biggest change that I have to be concerned about? And it's really difficult to say that there's one specific thing to worry about. Some of the things that I talk about with the people as I interface with them is really, a lot of the change here is moving from things that were implicit to actually being explicit, written down requirements that you can look at and touch and see. Certainly, the expansion, the explicit expansion now that it covers from concept to delivery of the product to the customer, that might be considered a huge change for some people that were... Once that left their doors, they didn't care about it anymore, those types of things. But supplier, they shifted from training to competency, there's a myriad of things that you can talk about.

Jon Speer: Okay. And yeah, I think it's safe to say that the more explicit nature, one of the things that I read about this new version of 13485 is really... It's been adapting to better align with the regulatory expectations, and you mentioned an example with the supplier controls, and I think those of us who've been in this space for any period of time, especially the past few years, know about the importance of having supplier controls in place. So it sounds like ISO is playing a little bit of catch up, is that a fair statement?

Mark Swanson: Yeah, that's certainly a fair statement. The expansion of that... What used to be Section 7.4 on Purchasing Controls now also include supplier selection and monitoring, and those pieces explicitly.

Jon Speer: Yeah. And I know from an FDA side of the world and a regulatory environment, contract manufacturers and a lot of other suppliers, previously, they were sort of off the radar screen from an FDA's perspective, and that's certainly not the case today. And it's good to see that that's also an expectation that's gonna be changing in 13485, because those suppliers, contract manufacturer, that's an important part of the medical device puzzle, so to speak.

Mark Swanson: And for certain... You talk about other geographies like Asia, their biggest concern has to be about distributors 'cause that's what they see the most of, is medical device distributors. And so, distributors are now really within the scope of 13485, and will be expected to have a quality system.

Jon Speer: Alright. Good. Alright. So let me hit the next question and...

Mark Swanson: Sure.

Jon Speer: These all might be doozies, I guess I should've qualified that before we got going, but risk management, I guess those two words all by itself... We've done, at the Global Medical Device podcast, we've done some podcast just on that topic alone, but as it relates to 13485, help me understand a little bit why this is so important for medical device companies to understand this topic of risk management, as it applies to 13485.

Mark Swanson: Well, and certainly, you see the expansion of risk management and risk-based decision making within not just med device companies, but all companies. ISO 9001 has directly incorporated risk-based thinking and has a lot of information on risk-based thinking. And they're just following along with what we've been doing in the med device industry, and really risk-based thinking has been well accepted whether you're talking about FDA or other competent authorities, other agencies, that risk-based thinking and mitigating risk to levels as low as possible really has been pretty pervasive, even the EN versions of the list standards recognize that.

Mark Swanson: What this does is it takes beyond just the product risk and just thinking about product risk, but also how do you incorporate that type of risk-based thinking within your quality management system, within your decision making? When I'm deciding what resources to spend on data monitoring and all of the stuff that happens internally to companies. How do I decide what resources to utilize? You can utilize the risk-based thinking and incorporating that and applying the resources that are in line with the risk. So higher risk things would have more resources applied, and all of that type of thinking. So this takes it to that next level which again, lots of companies have been operating that way, this takes it to that explicit require... Outlining those requirements.

Jon Speer: Sure. And I know one of the things that we found with when we rolled out the risk management feature set that aligns with ISO 14971, we find ourselves often in the role of trying to educate the consumer I guess, or the medical device professional, as to, "Well, this is what risk management means, and this is what the expected behaviors are." And I would imagine in a lot of respects, that's really what's expanded when it comes to risk management and risk-based decision making process from a QMS perspective and ISO 13485.

Mark Swanson: That's exactly it. I think that the processes, what you've developed with Greenlight, talking through the thinking on how do you make decisions, and enabling those decisions and documenting what you... The information that's around that, that's really what the important part is, and certainly your system provides that.

Jon Speer: Sure. And I suspect as we start to put together this webinar, Mark, on the changes of 13485:2016, that it probably makes sense for us to focus. I'm not telling you necessarily what to do, you probably already have an idea in mind, but...

Mark Swanson: Yep.

Jon Speer: I would imagine that risk-based decision making process from a QMS perspective, that there will be a lot of interest in that particular topic by itself.

Mark Swanson: There has been at... Every place that I've been, everybody's wanted to know about how do you incorporate risk management.

Jon Speer: Sure. Because it's change, or it's perceived change. Human nature is we don't like change and we just wanna make sure that we're doing the right thing and the knee jerk reaction is, "Oh, they're make us do all this risk stuff." I even heard, I don't know if this is a true statistic, I guess you can confirm, but I heard that the... I haven't counted myself. The 2003 version of 13485 has something like 54 references to risk or risk management or something like that, and that this new version has over 250 references.

Mark Swanson: Yeah, it's certainly is much more prevalent. Anytime you work. 'Cause we... The standard is about quality management systems, and now incorporating risk-based thinking into your quality management system, of course, we're gonna have a lot more references than just what we had for product development.

Jon Speer: Sure, okay. Alright, so, Mark, you've been doing quality management system consulting for quite some time, even before that, you've worked in this industry for a while as well, so you've seen the good, the bad, the ugly, I suspect, right?

Mark Swanson: Yeah.

Jon Speer: [chuckle] So do you think that this shifting to the new ISO 13485:2016, do you think this is gonna require a lot of change? Think about your client base particularly, is this new standard gonna change the way medical device companies operate, think and so on?

Mark Swanson: Well, I think it'll challenge most medical device companies to think beyond just doing the minimum, that as you incorporate the risk-based thinking that you have to consider some possibilities. Some, in essence, failure modes and impacts to your system from a risk-based standpoint that you're gonna have to consider from a strategic initiative in your management. And it will affect how you do things on a daily basis in essence. So that requires just... The thing about it is that as I'm even saying that, I'm like, "but this is the reason that that's been incorporated," 'cause it's kind of a natural way of thinking. So your natural common sense in those types of things, and then incorporated that into what you do within your quality management system. It probably is a change, but I think it's a change for the better and will help enhance the use of the 13485 and the quality management system to enhance business, enhance product safety and reliability.

Jon Speer: Right. I guess I should tell you a little bit about my educational background. By degree, I'm a chemical engineer and I remember one of the courses I took in my Chemical Engineering studies is Controls, Systems Controls. And I guess fast forward to today, I think of myself as kind of a systems guy, but I equate this 13485 and a lot of things we do actually, from a quality system standpoint to a controls problem. And I see risk management, if you'll pardon my analogy here, or metaphor, whatever the appropriate term is, but I almost see risk management as sort of that feedback loop.

Mark Swanson: Yep.

Jon Speer: Right.

Mark Swanson: You betcha and that's... And that's really what's happening here, 'cause that's some of the things that I have to talk to people about and maybe one of the biggest changes, as you look at 9001 as well, is kind of the shift in auditing and the shift in thinking there, is that you really have to see what they intended and what they had in place as far as controlling or managing the risk in all of these processes, and then it's up to them to evaluate whether or not it's effective and they need to do more, or less with that.

Jon Speer: Okay.

Mark Swanson: So those are all the things that you have to talk about from a process control standard in controlling your processes.

Jon Speer: Sure. Alright, so let's dive into a couple of other areas just a little bit deeper. Let's talk a little bit about my personal favorite. I don't know if it's yours. My personal favorite is design controls. I actually love design control. Let's be real, I kind of like quality system stuff and I like risk management too, but I really love design control. I'm curious, 13485, how does this 2016 version, how does that change or what are the big impact from a design control perspective?

Mark Swanson: Yeah, I'm gonna talk from really a quality system standpoint, and how you're looking at it. So one of the things that had to happen with specifically this design controls and you saw it, in the design control section of the 2003 version of the standard, it dove down into... There was five... There might have even been a couple places where there were six subdivisions, x.x.x... Whatever.

Mark Swanson: With this, we've lifted a bunch of those up to just be three, the third subdivision. The reason for that has to do with auditing and MDSAP, and the system that's being used there. So despite that... So you'll see several of those clauses being lifted out of the weeds, so to speak, and brought up some levels, but the other really I think significant impact on design controls, and we've continued design inputs and design outputs and all of those pieces. There's some additional details and verification and validation. There's specifically some things you have to think about this a little bit. But we've never had a direct requirement that when you were doing a system or subsystem that you had it actually connected to what it was gonna be connected to in the field.

Jon Speer: Right.

Mark Swanson: That is explicitly in the next version of 13485, that you have to do verification and validation when it's connected.

Jon Speer: Right.

Mark Swanson: Which makes a lot of sense. There's a whole new section on design transfer. It had a couple of words in outputs before, and now it has its own section in design transfer and being able to transfer that design into a manufacturing thing. And I think that's the... Again to focus on things like contract manufacturers that you've been talking about that we've needed to provide some additional controls. All of these things are in that what used to be Section 7.3 in Design Controls, is in that level. And so, I think you'll see a lot of... Again, the movement from implicit requirements of things that were kind of there to explicit requirements that you can understand and implement.

Jon Speer: Right. And I always look at design controls as this thing that's a living, breathing thing or process, if you will. Again, I'll use that control problem, there's a feedback loop. I design and develop my product, I transfer it to production, it's in use by end users, patients, what have you, and then I learn stuff about that. Whether that's a complaint or an improvement or what have you, and I wanna feed that back into my design controls and verify, validate, and so on and so forth. So I look at my design controls as this living, breathing thing that's constantly and consistently representing the product as it is at that point in time.

Mark Swanson: Yeah. And certainly that's been expanded too with the section on control of design and development changes.

Jon Speer: Sure.

Mark Swanson: Also, there's a new section on the actual... What we would call a "design history file", that you have to actually maintain that file for your device type or family.

Jon Speer: Right.

Mark Swanson: Including the references and all those records.

Jon Speer: Right.

Mark Swanson: So, all of this is kind of saying... Again, the things that have been implicitly there are now explicitly there.

Jon Speer: Right, right. So let's talk a little bit about supplier controls. You hinted on that a moment ago that that's an area of... I guess, more explicit details are defined within the 2016 version. So, what else would you like to share from a supplier control standpoint?

Mark Swanson: Yeah, the big thing there to me is gonna be that selection, evaluation and selection. You have to have a process and establish your criteria for evaluation and selection of suppliers to make sure that organizations implement that. That you really wanna know that your suppliers can meet the requirements of whatever you're asking them to do; whether it's supplying a subassembly or doing the contract manufacturing or providing the service like consultants.

Jon Speer: Right, right.

Mark Swanson: So all of that really is covered under that purchasing information. And then the explicit requirements of being able to communicate. There's a requirement to, if you can, to get a written agreement that the supplier notify the organization of any changes in the product that they're supplying.

Jon Speer: Right.

Mark Swanson: So again, we are trying to make sure that those controls and that flow, the communication flow is happening as best we can from within the requirements of the standard.

Jon Speer: Sure. I know we're probably approaching 20 minutes into our discussion today...

Mark Swanson: Yup.

Jon Speer: And the thought just occurred to me that maybe I should have added this at the very beginning. But I know sometimes as I talk to people, there is some confusion about ISO 13485 versus FDA 21 CFR Part 820. And I guess the summary here is FDA 21 CFR Part 820 is for medical devices, design, develop, manufacture and so on, in the US under the FDA's jurisdiction. Whereas ISO 13485 is a little bit broader in its use and acceptance. But as I hear you describe the changes in the 2016 version of 13485, I see now more than ever that there is greater alignment between FDA and ISO with respect to medical device.

Mark Swanson: Well, and again, that was... The big effort here has been in alignment between the regulations and what's been provided in the standard. Whether you're talking about European regulations, FDA regulations, Japan regulations, they obviously had the regulators sitting at the table and asking them, "What do we need to bring in and what can we all agree on are good things to put into the standard?"

Jon Speer: Sure.

Mark Swanson: And so, there was a lot of effort. That was one of the direct design inputs, was that alignment.

Jon Speer: Right. Alright, good. Alright, so now, up until, let's say, last year, and I'll use a specific example of a contract manufacturer. It was pretty common, at least in my world, that a contract manufacturer that was providing services to medical device companies, that sometimes if they were ISO-certified, sometimes they would carry, basically, a dual certification. They would be both ISO 9001-certified, as well as ISO 13485-certified. And obviously, 9001 changed last year and now 13485 is going to change here in 2016. So up until those changes, those two standards were in pretty good alignment with one another. So do you see that still being the case going forward or do you see that they've kinda parted ways?


Mark Swanson: I do. I was lucky enough to be the liaison from the group writing 13485 to the group that did the writing of 9001. And there was considerable effort to ensure that there was, A, above and beyond everything that there was no conflicts. And that is true, there is no conflict, there's no competing requirements between the two standards. So you can rest assured on that standpoint.

Jon Speer: Good.

Mark Swanson: And then, B, that both 9001 and 13485, you could use the metaphor of hooks. They have the right hooks or connections there that we could hang additional requirements off of or whatever was necessary within the regulated environment that... To basically be consistent.

Jon Speer: Okay, good.

Mark Swanson: And so, I see them as still being consistent in what their requirements are, the true requirements are. To me, the organization of the thing is immaterial and obviously 9001 has the new high-level structure that's being dictated by ISO. And 13485, very early in the process, had applied for an exemption from that, from ISO, and received the approval from the technical management board for that exemption. Because the way that our system is organized, and the regulators are organized, it would be very difficult for them to change the structure at this standpoint.

Jon Speer: Right.

Mark Swanson: Just as an aside, I perceive that to be in discussion over the next few years on how that transition can be made to the new high level structure. Obviously it didn't happen with this revision, but I don't think there's any conflicts. Yes, there's a difference in structure but the requirements are not conflicting and actually enhance one another.

Jon Speer: Alright. That's good to know. I'll be sure to share that with all my contract manufacturing friends. So the last, I guess, question that I have for today, of course, this is a new standard. 2016, everyone who's already ISO certified is probably saying, "Okay, well, what does that mean? I have an ISO audit coming up in March, does that mean I have to convert to the 2016 version? What's the timeline for adoption?" So can you shed a little bit of light on timeline sorts of questions?

Mark Swanson: Alright. We had obviously a lot of discussion within the working group and I actually drafted several pieces of the transition. It's very similar to what 9001's transition looks like. It's basically, outline is a three-year transition. So three years after publication, the 2003 version will be withdrawn and you wouldn't be able to get certified to that. As we move through this implementation, we'll start seeing the certification bodies, notified bodies that'll be able to audit to the new version. Probably within the first year, you'll be creating those transition plans. In year two, you probably be actually doing that transition to the next version. By the end of the second year, there will be no new certifications or recertifications done to the old version, but it'll all be done to the new version at year two, and so that year two will see certifications to the version would expire and you'll have to be on the 2016 version.

Jon Speer: Okay, that's very helpful. Alright, so...

Mark Swanson: So I hope there's enough detail because I wrote a bunch of it. Like I said, I get a bunch of the detail there...

Jon Speer: Yeah.

Mark Swanson: And sometimes it's too detailed for people, but basically, it's a three-year transition with some timelines along the way.

Jon Speer: Alright, so Mark, I appreciate you being a part of the Global Medical Device podcast today. Why don't you let everybody know the best way to get a hold of you, 'cause I'm sure our audience is gonna have questions and comments and, hey, what better source than to get a hold of Mark Swanson from H&M Consulting Group to learn what you need to do to get your quality system up to speed. How can people get ahold of you?

Mark Swanson: The very best way is by email, Mark, M-A-R-K, It's H&M Consulting Group. You can always call me on my cell phone and I don't hesitate at all to give my cellphone number out. 7-6-3-2-3-4-0-7-2-7. Again, that's 7-6-3-2-3-4-0-7-2-7.

Jon Speer: Alright, well again, Mark, thank you. And be sure to check out Mark's company, B-I-Z, H&M Consulting Group. Mark and I are gonna do a webinar here very soon. We're gonna go into a little bit more depth on these topics that we hit on today and some of the changes that you can expect with ISO 13485:2016. This is Jon Speer, and I'm the Founder and VP of Quality and Regulatory, at, we have some awesome software that's gonna make your life easier, especially as you put that quality system in place. Check us out, Yes, that is the domain. Be sure to take the product tour on our website, and if you want a demo just click that little button, request the demo and our team will make that happen for you.

Mark Swanson: Great. Thanks, Jon!



The Global Medical Device Podcast powered by Greenlight Guru is where today's brightest minds in the medical device industry go to get their most useful and actionable insider knowledge, direct from some of the world's leading medical device experts and companies.

Like this episode? Subscribe today on iTunes or SoundCloud.

Jon Speer is a medical device expert with over 20 years of industry experience. Jon knows the best medical device companies in the world use quality as an accelerator. That's why he created Greenlight Guru to help companies move beyond compliance to True Quality.

Search Results for:
    Load More Results