A QA/RA quality team in a startup is not a miniature version of the big-company org chart. It is a small number of honestly named seats. Often one or two people carrying the function. Where QA (quality assurance, the QMS operator) and RA (regulatory affairs, the regulation interpreter) are distinct bodies of work even when they sit on the same desk. MDR Article 10 places the manufacturer obligations on the legal entity and Article 10(9) requires a QMS proportionate to the risk class and device type, which means a 3-person startup is legally allowed to run a lean quality function. But only if the competence behind each role is real. The PRRC under MDR Article 15 is a third, separate role that overlaps with QA/RA but cannot be collapsed into them. The goal is the minimum structure that actually works, not the minimum structure that looks like compliance.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • A startup quality team is not a shrunken enterprise org chart. It is QA and RA as distinct bodies of work, usually carried by one or two people at small scale, with the PRRC role under MDR Article 15 as a separate legal function on top.
  • MDR Article 10(9) requires the QMS to be proportionate to the risk class and the type of device. Small companies are allowed to run small quality functions. The law says so explicitly.
  • EN ISO 13485:2016+A11:2021 clause 5.5 requires defined responsibility, authority, and communication, and clause 6.2 requires competence based on education, training, skills, and experience. Both apply at any company size, including three people.
  • The cleanest 3-person arrangement is: a quality and regulatory lead who owns QA + RA, a technical lead who owns cross-functional QA embedded in engineering (design controls, verification, risk), and a CEO who owns management responsibility under clause 5.5.
  • QA and RA separate as distinct hires between 10 and 30 people, usually when the RA workload alone exceeds half a full-time role or when the QMS operation needs dedicated daily attention.
  • The most dangerous failure mode is title inflation. Calling someone "Head of Quality" when the actual scope is document control, or "RA Manager" when the person has never read an MDR article end to end.
  • The Vienna QA manager story shows the right pattern: take a framework you already know, customise it ruthlessly for the device in front of you, and ship a lean QMS that a Notified Body can audit in a day.
  • The Austrian fake-expert story shows the wrong pattern: hire someone with the vocabulary but not the substance, and run the company on a title rather than the work.

Why this matters for your startup

There is a Vienna quality manager we worked with whose approach we still point to as the right way to build a startup QMS. She had come from a larger MedTech company and knew the ISO 13485 framework cold. When she joined a small startup, she did not import the old QMS. She took the framework she already understood and ruthlessly customised it for the specific device, the specific team size, and the specific risk profile in front of her. What landed was a QMS with the smallest number of procedures that still satisfied every clause. No copy-paste, no vestigial documents, no processes that existed only because the previous company had them. The Notified Body audit was calm. The auditor could see the whole system in a day. The quality team was one person plus a technical co-founder who owned design controls inside engineering, and it worked.

There is another Austrian company. The one we keep coming back to in this series. Where the founders used the sentence "we have a dedicated expert handling regulatory" to end every difficult conversation. The title existed. The CV existed. The substance did not. Intended purpose was inconsistent between documents. Classification pointed at the wrong Annex VIII rule. The quality function on paper looked like a quality team. In practice, nobody was doing the work. Both of these stories are quality-team stories. They are not about headcount. They are about whether the structure produces real work by real owners, or whether the structure is decoration on a problem that has not surfaced yet. For the deeper pattern on verifying competence, see DIY vs Hiring a Regulatory Consultant.

The minimum roles. QA versus RA, and why the distinction matters

QA and RA are often collapsed into one bucket by founders who have not worked in MedTech before, and that collapse is the first mistake. They are related bodies of work, but they answer different questions.

Quality Assurance (QA) is the operator role. QA owns the QMS. The documented procedures, the document control, the training records, the internal audits, the CAPA system, the supplier controls, the management review cadence, the release records, the complaint handling infrastructure. QA is the person who makes sure the system runs every day and leaves a trail an auditor can follow. QA's core reference is EN ISO 13485:2016+A11:2021, specifically the clauses on management responsibility (5), resource management (6), product realisation (7), and measurement, analysis and improvement (8).

Regulatory Affairs (RA) is the interpreter role. RA reads the MDR, the harmonised standards, and the MDCG guidance, and decides what they actually mean for your device. RA owns intended purpose, classification, the regulatory strategy, the Notified Body relationship, the technical file architecture, the clinical evaluation plan, the regulatory submissions, and the regulatory response to change. Any design change, any scope change, any new market. RA's core reference is the MDR (Regulation (EU) 2017/745) itself, read article by article, not paraphrased from memory.

The two bodies of work overlap, but the instincts are different. QA thinks in procedures. RA thinks in articles. QA asks "is this documented?" RA asks "does this satisfy the regulation?" A company that has only QA and no RA ends up with a beautiful QMS that may not actually map to what the MDR requires. A company that has only RA and no QA ends up with a strong regulatory strategy and no daily discipline to execute it. Both are failures, and they fail in different directions.

At small scale, one person usually carries both hats. That is fine if the competence is genuinely present on both sides. What is not fine is assuming the titles are interchangeable and hiring a document controller into an RA seat.

MDR Article 10(9) and proportionality

Before we go further into who does what, the regulation itself is worth quoting on size.

Under MDR Article 10(9), manufacturers of devices shall establish, document, implement, maintain, keep up to date and continually improve a quality management system that shall ensure compliance in the most effective manner and in a manner that is proportionate to the risk class and the type of device. The article then lists the areas the QMS shall address. Regulatory strategy, identification of applicable GSPR, responsibility of management, resource management, risk management, clinical evaluation, product realisation, UDI assignment, PMS, communication with authorities, vigilance, corrective and preventive actions, and monitoring of processes.

Two things matter about this. First, "proportionate to the risk class and the type of device" is a legal permission to run a smaller QMS for a smaller, lower-risk device. A 3-person startup building a Class IIa standalone software device is allowed by the regulation to have a smaller QMS than a Class III implantable manufacturer. The proportionality is not a loophole. It is explicit in Article 10(9). Second, the list of areas the QMS must address is not proportionate. All of those areas must be covered, regardless of company size. What scales is the depth and the infrastructure. What does not scale is the scope.

This is why the Vienna QA manager pattern works. She did not skip clauses of ISO 13485 or areas of Article 10(9). She implemented every one of them in the lightest form that actually did the job. That is the right reading of proportionality. Skipping areas because the company is small is not proportionality. It is non-compliance with a smaller word count.

EN ISO 13485 clauses 5.5 and 6.2. The two clauses every quality team lives under

EN ISO 13485:2016+A11:2021 has two clauses that define the shape of the quality team at any size. Clause 5.5. Responsibility, authority, and communication. Requires top management to ensure that responsibilities and authorities are defined, documented and communicated within the organisation, and to appoint a member of management with defined responsibility and authority for the QMS. Clause 6.2. Human resources. Requires that personnel performing work affecting product quality be competent on the basis of appropriate education, training, skills and experience, and that competence be documented.

Read together, these two clauses say: you must name the people, you must define what they are responsible for, you must be able to show they are competent, and top management must appoint a QMS management representative. At 3 people, the management representative is often the CEO. At 10 people, it is usually the quality and regulatory lead. At 30 people, it is usually a head of quality who sits beneath the CEO. The clause does not care which. It cares that the appointment is made, documented, and backed by competence evidence.

The competence documentation under 6.2 is the clause that catches the Austrian fake-expert pattern at audit time. "We have a dedicated expert handling regulatory" is not a 6.2 answer. A 6.2 answer is a CV, a training record, a description of the specific work the person has done, and ideally a way to demonstrate that the person understands the device in front of them. If the competence file is thin, the quality team is thin, regardless of the org chart.

Cross-functional QA. When engineering owns part of the quality function

One of the subtractions that makes a small quality team work is recognising that part of what big companies call "QA" is actually engineering work. Design controls, design verification, design validation, risk management, software lifecycle management, usability engineering, traceability from requirements through tests. These are engineering disciplines that happen inside the product team, not inside a separate QA department. In a startup, fighting that reality is expensive. Accepting it is liberating.

Practically, this means the technical lead or CTO owns a defined part of the QA scope as cross-functional QA embedded in engineering. The quality and regulatory lead owns the QMS infrastructure that wraps around it. Document control, training, internal audit, CAPA, management review, supplier controls. The two collaborate on design controls because design controls are the boundary layer. The CTO runs design reviews with traceability. The quality lead makes sure the records are kept, the procedures are followed, and the auditor can find everything.

This split only works if both people understand the interface. The CTO has to treat design controls as part of their job, not as "QA's problem." The quality lead has to trust that engineering is doing the technical work correctly, while still auditing that the records are there. Neither side can collapse into the other. When it works, the quality team can be one dedicated person even at 15–20 employees, because the engineering team is carrying a significant share of the load. When it does not work, the quality team has to be bigger to compensate for engineering not owning its half.

The PRRC as a separate role

A common confusion in startups is assuming the quality and regulatory lead is automatically the PRRC under MDR Article 15. Sometimes they are. Often they should not be. The PRRC is a distinct legal function with specific qualification requirements and specific tasks, and collapsing it into a generic "head of quality" title can produce a legal mismatch.

The PRRC qualification criteria under MDR Article 15 (either the degree-plus-one-year route or the four-year experience route) may or may not be met by the person you have in the quality and regulatory lead seat. If the quality lead meets the criteria and has bandwidth, they can be the PRRC. If they do not, the PRRC is a separate appointment. Internal if the company is past the micro/small threshold, or external under Article 15(2) if it qualifies. For the detailed walk-through, see the hub post The MedTech Startup Team, the decision framework in The PRRC Role in Startups, and the legal foundation in PRRC and MDR Article 15 and PRRC Options for Startups.

The practical rule is simple. Name the PRRC explicitly. Do not assume the title "quality manager" includes the PRRC function. Document the appointment. Keep the competence file under ISO 13485 clause 6.2. Make sure the PRRC has the authority protected under Article 15(6). Which, in a startup, means the CEO has to actually back them when they say no.

How the team evolves: 3 → 10 → 30

3 people. Quality and regulatory is one person. Usually a co-founder or the first non-engineering hire. Who carries QA and RA together and holds the PRRC appointment if they qualify. The CTO carries the cross-functional QA load inside engineering. The CEO carries management responsibility under clause 5.5 and is the named management representative for the QMS. The work is real but the infrastructure is minimal. A framework-plus-customisation approach (the Vienna pattern) is what makes this stage viable.

10 people. The quality and regulatory lead becomes a full-time internal hire if they were not already. The CTO still owns cross-functional QA in engineering, but now there is usually a senior engineer who owns design controls as a defined part of their scope. The QMS has moved from "implemented" to "operating". Internal audits are happening, CAPAs are being worked, management reviews are real. The PRRC appointment is formalised and documented. This is the stage where most companies discover whether the person in the quality and regulatory seat is actually competent or just holding the title. If the answer is no, the cost of the correction is painful but still manageable. See Hiring Your First Quality Manager for MedTech for the timing question.

30 people. QA and RA have usually separated into distinct functions. There is a head of quality who owns the QMS operation and reports to the CEO. There is a head of regulatory affairs who owns the regulatory strategy and the Notified Body relationship, often reporting to the CEO or to the head of quality depending on the company's shape. The PRRC is often the head of RA or a senior regulatory specialist who meets Article 15 criteria. Design controls and risk management are still inside engineering, but with tighter quality oversight. The company is probably approaching or past CE marking, and post-market surveillance, vigilance, and supplier management now require dedicated attention. See Post-CE Team Growth for MedTech Startups for the post-market expansion.

At every stage, the transitions are not automatic. A founder who waits too long to hire the first dedicated quality person is building technical and regulatory debt that compounds. A founder who hires too early is paying for a layer the company does not need yet. The signal to hire is usually work that is no longer getting done, not an org-chart milestone.

The dangers of title inflation

Title inflation is the pattern where a job title is upgraded to attract a candidate or to impress a board, without matching growth in scope or competence. It happens in every industry, and in MedTech it is specifically dangerous because titles map onto regulatory expectations.

Three patterns we see repeatedly.

"Head of Quality" with document-control scope. Someone is hired into a "Head of Quality" role to run what is effectively document control and training records. The title signals a senior scope to the Notified Body, the board, and the next round of investors. When the auditor asks about CAPA effectiveness, internal audit findings, or management review outputs, it becomes clear the person has never run any of it. This is a 6.2 competence problem hiding inside a 5.5 authority problem, and it is the pattern that produced the Austrian fake-expert disaster.

"RA Manager" with no MDR fluency. Someone with a life-sciences degree and project management experience is hired as "RA Manager" without ever having read an MDR article end to end. They run the submission calendar and chase Notified Body correspondence, but they cannot answer a first-principles regulatory question about the device. The failure mode surfaces at the first technical review, when a specific Annex VIII rule or a specific Annex I GSPR has to be defended and there is nobody in the room who can defend it.

"PRRC" as a nominated title without Article 15 qualification. Someone is appointed PRRC because the appointment letter was needed for the Notified Body, without verifying that they meet Article 15(1) criteria by either the degree-plus-one-year or the four-year experience route. The appointment is legally void at inspection time, and the company has a gap in a mandatory role.

The subtraction move is to refuse title inflation at the point of hire. Name the seat honestly. If the scope is document control, call it document control. If the person meets PRRC criteria, document the path. If they do not, do not hand them the title. See How to Evaluate a Regulatory Hire for the competence test framework.

The Vienna QA manager. Done right

Back to the Vienna story, because it is the cleanest example of a small quality team working. What the Vienna QA manager did, in order:

  1. She named the clauses. She wrote down every clause of EN ISO 13485:2016+A11:2021 and every area listed in MDR Article 10(9). Not paraphrased. The actual clause references. That was the checklist the QMS had to satisfy.
  2. She started from a framework she knew. She did not invent a QMS from scratch. She used the structure of a previous QMS she understood cold, as a scaffold.
  3. She customised ruthlessly. Every procedure that existed in the old QMS because the old company was larger, or older, or in a different device class, was cut. Every procedure that was kept was rewritten for the 3-person startup's actual processes, not the old company's.
  4. She mapped cross-functional QA to engineering. Design controls, risk management, and verification were defined as engineering activities with defined records, not as a separate QA department's work.
  5. She made the CEO the management representative. Clause 5.5 was satisfied by an explicit appointment, documented in the QMS, with the CEO actually sitting in the management review meetings and owning the output.
  6. She documented competence under clause 6.2 for every role, including her own. The competence file was not thick, but it was specific.

The result was a QMS that a Notified Body auditor walked through in roughly a day. No findings that threatened the certificate. A small quality team that the company could afford, carrying the full scope of the standard. This is what "proportionate to the risk class and the type of device" actually looks like in practice.

Contrast this with the Berlin template QMS disaster we cover in the QMS category posts. A startup that bought a template QMS, stamped the company name on it, and discovered at audit that the document set described a company that did not exist. Same starting material (a framework), opposite outcomes. The difference is ruthless customisation versus blind copy-paste.

The Subtract to Ship angle

The Subtract to Ship framework applied to a quality team looks like this. Do not hire a quality team that matches the enterprise org chart template. Hire the smallest team that can honestly carry QA and RA as distinct bodies of work, with the PRRC appointment made correctly, with the technical team carrying cross-functional QA, and with the CEO owning management responsibility. Do not call work something it is not. Do not collapse QA into RA or RA into QA, even if the same person is doing both, because the distinction is what keeps the regulation and the QMS aligned. Do not treat the ISO clauses as paperwork. Treat them as the boundary conditions of the smallest quality team that actually works.

What you keep is a small number of honest seats, real competence behind each one, and a QMS that is proportionate in the Article 10(9) sense. Everything else is either premature or pretend.

Reality Check. Where do you stand?

  1. Can you name, by name, the person in your company who owns QA (the QMS operator) and the person who owns RA (the regulation interpreter)? If it is the same person, is the competence real on both sides, or is one of the hats loose?
  2. Has your CEO been appointed as the management representative under EN ISO 13485:2016+A11:2021 clause 5.5, or. If not the CEO. Who has, and is the appointment documented?
  3. For every person in your quality team, is there a clause 6.2 competence file (education, training, skills, experience) that an auditor could read and find credible?
  4. Does your technical lead or CTO own cross-functional QA inside engineering. Design controls, verification, risk management. With defined records, or is engineering treating quality as "the QA person's problem"?
  5. Is your PRRC a distinct, named appointment, separate from the "head of quality" title, with documented Article 15(1) qualification?
  6. When you look at your QMS procedures, can you point to any that exist only because a template included them, without being genuinely customised for your device?
  7. If a Notified Body auditor walked in next week, how long would it take to walk them through the whole QMS end to end? (If the answer is more than two days for a 3-person startup, the QMS is bloated.)
  8. Have you ever had a title in your company where the scope was smaller than the title suggested? If yes, are you still carrying that mismatch?

Frequently Asked Questions

What is the minimum QA/RA team for a MedTech startup? At 3 people, the minimum is one person carrying QA and RA together, a technical lead owning cross-functional QA inside engineering, and a CEO appointed as the management representative for the QMS under EN ISO 13485:2016+A11:2021 clause 5.5. The PRRC under MDR Article 15 is a separate appointment that may or may not sit with the same person depending on whether they meet the Article 15(1) qualification criteria. The arrangement is legally permitted by MDR Article 10(9) because the QMS must be proportionate to the risk class and the type of device.

What is the difference between QA and RA in a MedTech startup? QA (Quality Assurance) operates the QMS. Document control, training, internal audits, CAPA, management review, supplier controls, release records, complaint handling. RA (Regulatory Affairs) interprets the MDR and the harmonised standards and translates them into intended purpose, classification, regulatory strategy, the technical file architecture, and the Notified Body relationship. QA thinks in procedures; RA thinks in articles. In a small startup one person often carries both, but the bodies of work are distinct and the competence required on each side is different.

When should a startup hire a dedicated Head of Quality? Usually between 10 and 30 employees, or earlier if the QMS operation is demanding more than half of a single person's time. Before that, the quality and regulatory lead carries the function and the CEO acts as management representative. The signal to hire a dedicated head of quality is work that is no longer getting done. Internal audits slipping, CAPAs stalling, management reviews becoming ceremonial. Not an org chart milestone. See Hiring Your First Quality Manager for MedTech.

Does MDR allow a smaller QMS for small startups? Yes. MDR Article 10(9) explicitly requires the QMS to be proportionate to the risk class and the type of device. This is legal permission to run a smaller QMS for a smaller, lower-risk device. However, the list of areas the QMS must address in Article 10(9). Regulatory strategy, GSPR identification, management responsibility, risk management, clinical evaluation, product realisation, UDI, PMS, vigilance, CAPA, and others. Is not proportionate. All areas must be covered at any company size. What scales is depth and infrastructure, not scope.

Can the CTO of a MedTech startup own design controls and risk management? Yes, and in small startups this is often the right structure. Design controls, design verification and validation, risk management, and software lifecycle management are engineering activities that belong inside the product team, with the quality function wrapping the records, audits, and procedures around them. This works only if the CTO treats quality as part of engineering rather than someone else's problem, and if the quality lead audits the records rather than duplicating the engineering work.

What is the most common failure in a startup quality team? Title inflation. Hiring someone into a "Head of Quality" or "RA Manager" seat whose actual scope is narrower and whose competence does not match the title. The failure surfaces at the first real Notified Body audit or the first serious compliance question, when it becomes clear the person cannot defend the work at the depth their title implied. The fix is to name seats honestly, document competence under EN ISO 13485:2016+A11:2021 clause 6.2, and refuse to upgrade a title without upgrading the work behind it.

Is the PRRC the same as the Head of Quality? Not necessarily. The PRRC is a legal function under MDR Article 15 with specific qualification requirements and specific tasks. The Head of Quality is an operational title for the person running the QMS. The same person can hold both if they meet the Article 15(1) qualification criteria, but the appointments are distinct and the PRRC appointment has to be made explicitly, documented, and backed by the Article 15(6) protection. Collapsing the two into one title without verifying Article 15 qualification produces a legal gap at audit time.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers), Article 10(9) (quality management system, proportionate to the risk class and the type of device, and the list of areas the QMS shall address), Article 15 (person responsible for regulatory compliance). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes. Clause 5.5 (responsibility, authority, and communication, including the management representative appointment). Clause 6.2 (human resources. Competence based on education, training, skills, and experience, with documented evidence).

This post is part of the Team Building, Operations & Scaling category in the Subtract to Ship: MDR blog, under the Quality Team Design subcategory. Authored by Felix Lenhard and Tibor Zechmeister. If your company is at the point of designing or redesigning its quality team, read this alongside the hub post and the PRRC decision framework, then run the Reality Check against the seats you actually have today.