From the beginning, Tidepool’s goal has been to bring transparency and collaboration to diabetes technology – and that commitment extends beyond our products. When we set out to build our Quality Management System (QMS), we didn’t just want it to work for us - we wanted it to work for anyone. We wanted to create something open, accessible, and empowering for other innovators in the medical device space.
Today, we’re proud to share that Tidepool’s open source QMS - “qmsOS” - has received ISO 13485:2016 certification from the accredited certification body TÜV SÜD America. This milestone is more than a certificate; it’s proof that quality, safety, and compliance don’t have to come at the cost of transparency or collaboration.
Our open-source QMS is available today for Software as a Medical Device (SaMD) startups to leverage for their own development purposes. Our goal? To lower barriers for startups and software developers entering the world of SaMD - so together, we can get life-changing tools into the hands of people who need them, faster. This embodies our commitment to serve the diabetes community while promoting the highest quality and safety for medical devices.
I’ve spent over a decade immersed in regulatory affairs and quality systems. These disciplines might seem like paperwork-heavy obligations to some, but to me, they represent impact. A well-designed QMS isn’t just about compliance – it’s about making sure medical technology is built to the highest standards so people can rely on it when they need it most.
While working at Dexcom, I saw firsthand how rigorous quality systems and patient-centered design can transform lives. The launch of G6 as an iCGM (integrated Continuous Glucose Monitor) changed how people manage diabetes – reducing painful fingerpricks, improving access to real-time data, and supporting sensor-augmented insulin-delivery. G7 took it even further. Seeing my work help bring these products to market and hearing from people who use them every day reinforced my belief in the power of strong, well-implemented quality systems. I like to think of my fellow Regulatory Affairs and Quality Assurance (RAQA) professionals as unsung heroes of our healthcare industry.
So, when Howard Look approached me about joining Tidepool, I jumped at the chance. Here was a team that wasn’t just talking about changing the system - they were doing it. Publishing FDA meeting minutes? Making processes open source? Sharing knowledge instead of keeping it locked behind corporate walls? I was all in.
Howard often talks about “draining the regulatory moat” – the idea that complex regulations shouldn’t be used as barriers to entry, making it harder for new innovators to bring their ideas to life. The diabetes community and early adopters of community-driven Loop understand this better than anyone.
Let’s be clear: I’m a firm believer in robust quality systems and the role of regulatory agencies in ensuring safety. There is a long history of why medical device regulations exist, and cutting corners is never the answer. Especially when you look at the early treatments for diabetes. But there has to be a better way to support innovation while maintaining the highest standards of safety and effectiveness. That’s where qmsOS comes in.
At its core, Tidepool’s open-source QMS is a modern, software-first blueprint for quality management. It’s built on tools many teams already know and love - Google Workspaces, Jira, Confluence, Slack - and is designed to support agile development practices.
It’s also completely open source. You can access our procedures, processes, and even our mapping of ISO 13485 requirements right now. Whether you’re just starting out or looking to refine an existing system, we want qmsOS to be a resource for you. Together, we can remove barriers that limit innovation and accelerate the development of safe, effective medical software.
Warning: The following content enters into the realm of regulatory and quality nerdom. Reading may result in a greater understanding of international consensus standards and the certification process.
Accreditation bodies play a critical role in ensuring the credibility of certification processes. These entities are responsible for assessing the competence and impartiality of certification bodies, often operating under the authority granted through national legislation and regulations. Depending on your target market, different accreditation bodies may be relevant.
Agents like the International Accreditation Forum's (IAF) Multilateral Recognition Arrangement (MLA) exist to streamline global certification acceptance. This MLA allows certifications issued by a certification body accredited by an IAF member accredited body to be recognized in most regions worldwide. As a manufacturer seeking certification, it's essential to collaborate with a certification body accredited by an organization recognized in your target market. For instance, Tidepool worked with TÜV SÜD, a well-established accredited certification body, a full member of the IAF and a signatory of the MLA, ensuring our certification holds weight across global markets.
If this sounds complex, that’s because it is. Accreditation frameworks can feel like a maze of interconnected organizations, but they exist to ensure trust and consistency across the certification landscape.
The International Organization for Standardization (ISO) publishes global standards that define best practices across industries. These standards, developed through expert consensus, provide frameworks for achieving consistency, safety, and efficiency in everything from manufacturing to communication technologies. ISO standards are deeply embedded in our everyday lives, underpinning the vehicles we drive, the food we consume, and many other technologies we rely upon.
In the context of medical devices, the development of international regulatory frameworks like ISO 13485 traces back to the early 1990s. This was a pivotal time for global collaboration. Health authorities from the EU, US, Japan, Australia, and Canada had formed the Global Harmonization Task Force (GHTF) to align medical device regulatory systems. Think of the GHTF as the Avengers of public health - experts working together to protect patient safety while fostering technological progress. While they didn't operate from a secret hideout, their collaboration led to impactful advancements. Through extensive study groups, the GHTF laid the groundwork for the convergence of international regulatory practices, codifying essential principles that would shape the future of medical device quality management.
Before ISO 13485 existed, device manufacturers relied on frameworks like ISO 9001:1994 ("Quality Systems - Model for Quality Assurance in Design, Development, Production, Installation and Servicing") and the FDA's current good manufacturing practices (CGMP). The FDA, recognizing the need for modernization, began a revision of the CGMP to incorporate design controls, aligning with the ISO 9001 requirements and an early draft of what would become ISO 13485.
Meanwhile, EN 46001 was being developed in Europe as a medical device-specific extension to ISO 9001:1994. This gradual alignment of standards on both sides of the Atlantic culminated in the first edition of ISO 13485:1996 - a landmark harmonization of quality system requirements for medical device manufacturers. Today, ISO 13485 serves as the cornerstone of quality management systems for medical devices, reflecting decades of international collaboration.
Achieving certification was no small feat, but we wanted to prove that our open-source QMS could withstand the same scrutiny as any other. For Tidepool, this involved navigating TÜV SÜD's certification process, which included a quotation questionnaire, an application for certification, and a two-stage audit process. An audit plan is shared with you in advance and serves as a roadmap to what to expect throughout. Stage 1 is your readiness audit, essentially a gut check to see if you're sufficiently prepared. By Stage 2, the main certification audit, you're expected to demonstrate confidence in your system's full compliance. There are a lot of "phase gates" in the cumbersome audit procedures, but transparency and thoroughness are ensured during the audit.
Tidepool’s Stage 2 audit was conducted over three days and covered each chapter of the standard. At a high level, these are key topics addressed:
There is no way to sugarcoat the amount of work that goes into preparing for an audit, it takes a lot. The first critical step is creating a detailed mapping of the standard requirements to your QMS. This includes a clause-by-clause analysis of where the QMS satisfies each requirement, backed by evidential records to demonstrate conformity. If you want a jump start, Tidepool’s DOC-0042 maps the requirements from the IMDRF SaMD Working Group’s Final Document N23, Software as a Medical Device (SaMD): Application of Quality Management System, to the requirements of ISO 13485:2016 and the applicable parts of the US Code of Federal Regulations.
Going through an audit is like a visit to the dentist. No one loves getting audited, but in the long run, we know it’s important. Oddly enough, I thrive under the pressure of an audit and find the challenge deeply satisfying. Answering a complex audit request is an opportunity for knowledge and preparation to make a difference and demonstrate how your team strives to do the right thing every day.
An ISO 13485 audit is a high-stakes assessment that evaluates whether a manufacturer truly understands what they are doing. Key expectations include demonstrating management commitment to the QMS by setting quality objectives, conducting management reviews, and fostering company-wide communication. All important things! Other best practices required by the standard include:
These requirements serve the best interest of our community and reinforce Tidepool’s mission. Our audit also provided the unique opportunity to showcase our open-source QMS to an independent third party. Watching auditors navigate our easily accessible procedures and documentation online was a rewarding experience - it’s not every day that a QMS operates with that level of transparency.
ISO 13485 was originally developed with hardware in mind, and adapting it for modern software development comes with challenges. Many aspects of ISO 13485 trace back to the ISO 9001 standards in the nineties, when software development was nascent and dial-up internet was still commonplace. Unlike traditional medical devices, software is built iteratively. It’s developed, tested, broken, and improved continuously. Waterfall-style, phase-gated design controls don’t always fit.
At Tidepool, we demonstrated compliance with ISO 13485 while staying true to agile principles. By customizing our approach within Jira, incorporating risk assessments and approvals into our workflows, and ensuring automated testing and iterative development were properly documented, we bridged the gap between regulatory expectations and the realities of modern software development.
Making our QMS open source can have ripple effects across the industry. By sharing what we've built, we hope to help other startups avoid the "blank page" problem - that overwhelming feeling of not knowing where to start. Instead of reinventing the wheel, they can take what we've done, adapt it to their needs, and focus their energy on what really matters: building great software that helps people.
This is just the beginning. We're constantly iterating on qmsOS and are excited to see how others will use it, improve it, and build on it. If you're a SaMD developer—or thinking about becoming one—we'd love for you to join us.
Getting ISO 13485 certified is a big milestone, but it's not the finish line. We're committed to continuing to evolve qmsOS, sharing what we learn along the way, and collaborating with others to push the boundaries of what's possible in SaMD.
We want to hear from you if you have questions, ideas, or feedback - or if you've used Tidepool's qmsOS in your own work. Let's work together to make safe, effective, high-quality medical software accessible to everyone who needs it.
To explore Tidepool’s open source QMS, visit the QMS Index. You can find more information on the certification content and scope in the Certificate Explorer.
[Jacob Nardone joined Tidepool in October 2024 as our VP of Regulatory and Quality, shepherding our much-beloved Quality Management System.]
I would like to express my deepest gratitude to Howard Look, Founder of Tidepool, whose unwavering dedication and visionary leadership over the past decade made Tidepool’s ISO 13485 certification possible. His commitment to building an open-source quality management system that aligns with agile software development practices has been nothing short of pioneering.
I also want to acknowledge Sheila Ramerman, who partnered closely with Howard to architect Tidepool’s quality processes from the ground up. Her expertise, collaboration, and steadfast attention to detail laid the foundation for a system that upholds the highest standards of quality and safety.
I am incredibly privileged to have both Howard and Sheila as mentors. Their guidance has been instrumental in delivering an open-source QMS that not only meets the rigorous demands of medical device regulation but also supports the speed and flexibility of modern software development.
We'll keep you updated with all the need to know news and announcements for Tidepool and Tidepool Loop
Donate today to support Tidepool's mission to improve the lives of People with Diabetes through affordable, accessible and interoperable technologies
Want to get the latest news and updates about Tidepool and Tidepool Loop? We promise to keep it interesting in your inbox.
