A culture of quality in a MedTech startup is the set of daily behaviors that make compliance the default choice rather than a policed one. MDR Article 10(9) and EN ISO 13485:2016+A11:2021 clause 5 place the obligation on top management, but the evidence of culture shows up in what the most junior engineer does on a Tuesday when no one is watching.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • MDR Article 10(9) requires manufacturers to have a QMS that ensures compliance "in the most effective manner." Effectiveness is behavioral, not documental.
  • EN ISO 13485:2016+A11:2021 clause 5 places primary responsibility for the QMS on top management, including quality policy, planning, and review.
  • Culture of quality means quality is owned by everyone, not delegated to a QA team that absorbs the consequences of other people's shortcuts.
  • Notified Body auditors read culture through micro-signals: how engineers talk about quality, how meetings run, how problems get reported, how management review actually happens.
  • The behaviors that build the culture are cheap and boring. The consequences of their absence are expensive and loud.
  • Founders who treat quality as a cost center get the QMS their cost allocation deserves.

Why this matters

The first thing that disappears under startup pressure is careful work. When a sprint is behind, a demo is tomorrow, and an investor is in the office on Thursday, the invisible cost of cutting a corner looks small. The cost shows up eighteen months later in an audit finding, a complaint you cannot close, a technical file you cannot defend, or a late-stage rework that eats the runway you thought you had saved.

We have watched startups get through their Notified Body audit on the strength of one person's heroism and then lose that person and fall apart. We have watched other startups with smaller teams sail through audits because quality was not a department but a habit. The difference is not the size of the QMS folder. It is the set of behaviors that the team considers normal.

MDR Article 10(9) asks manufacturers to establish a QMS that ensures compliance "in the most effective manner, in a manner that is proportionate to the risk class and the type of device." That phrase is doing more work than founders realize. Effectiveness is not measured by the thickness of the manual. It is measured by whether the system actually produces safe devices consistently. And that is a cultural question as much as a procedural one.

What MDR and EN ISO 13485 actually say

MDR Article 10(9) obliges manufacturers to establish, document, implement, maintain, keep up to date, and continually improve a QMS that ensures compliance with the Regulation in the most effective manner and in a manner that is proportionate to the risk class and the type of device. The QMS must address, at minimum, a strategy for regulatory compliance, identification of applicable GSPRs, responsibility of management, resource management including supplier control, risk management, clinical evaluation and PMU, product realisation, UDI assignment, PMS, communication with authorities and Notified Bodies, reporting of serious incidents and FSCAs, CAPAs, and processes for monitoring and measurement of output.

EN ISO 13485:2016+A11:2021 clause 5 Management responsibility. The standard dedicates an entire chapter to what management has to do. Clause 5.1 requires top management to provide evidence of commitment to development, implementation, and maintenance of the QMS. Clause 5.3 requires top management to establish a quality policy. Clause 5.4 requires quality objectives to be established at relevant functions and levels. Clause 5.5 requires responsibilities and authorities to be defined, documented, and communicated. Clause 5.6 requires management review at planned intervals.

Read together, these two sources say something that is easy to miss: regulatory compliance is an obligation of management, discharged through behavior, demonstrated by evidence. The standard does not say "have a QA department and let them worry about it." It says top management is responsible, and top management has to show it.

That sentence is the entire culture-of-quality idea. If the founders do not model it, no poster in the kitchen will produce it.

A worked example

Two Class IIa startups, same product category, same team size, audited in the same month.

Startup A. Management review is a calendar event that happens twice a year. It runs for sixty minutes. The COO presents a deck. The founders nod. Actions are assigned but not tracked. When the auditor asks an engineer about the quality policy, the engineer says "it's in the manual somewhere." When the auditor asks how design changes get decided, the engineer describes a Slack conversation. When the auditor opens a CAPA that has been open for eight months, no one can explain why. The audit report has four major nonconformities, all of them under clause 5. The findings cluster around one root cause: management involvement is nominal, not real.

Startup B. Management review happens quarterly, with a fixed agenda drawn from clause 5.6.2, and the review records show trend data from complaints, audits, CAPAs, and PMS feedback. When the auditor asks an engineer about the quality policy, the engineer says "we talk about it at the quarterly all-hands. The short version is: if you're not sure it's safe, stop and ask." When the auditor asks how design changes get decided, the engineer opens the change register and walks through a recent example. When the auditor opens a CAPA, it has an owner, a dated action plan, and evidence of progress. The audit report has one minor observation about a missing date on a training record. The findings, or the absence of them, cluster around one root cause: management actually runs the QMS.

These are not hypothetical startups. The difference between them is not their budget or their product. It is what their engineers say when the auditor turns to them. That is what culture of quality sounds like from the outside.

The Subtract to Ship playbook

1. Put the quality policy into language your team actually uses. Clause 5.3 requires a quality policy, but it does not require jargon. "If you're not sure it's safe, stop and ask" is a valid quality policy if it is approved, communicated, and lived. "The organization is committed to the continual improvement of processes..." is a valid quality policy that no one will ever say out loud. Pick the one your team will use.

2. Management review is the CEO's meeting, not the quality manager's. Clause 5.6 is addressed to top management. If the founders delegate management review to a quality lead, the auditor will detect it inside five minutes. Quality reviews where the CEO is present, engaged, and making decisions are culturally distinctive and audit-distinctive. Schedule them quarterly. Protect the calendar.

3. Hire for the signal, not the keyword. In interviews, ask candidates to describe a time they had to push back on a decision because it was not safe or not compliant. Candidates who have never done this, or who cannot describe it crisply, are cultural risks regardless of their CV. Hire people who see compliance as part of their job, not as friction imposed on them.

4. Give engineers a direct path to raise quality concerns. If raising a concern is slow, social, or politically expensive, engineers will stop raising concerns. MDR Article 10 obligations cannot be met by a team that has learned silence. Make the path short, make the response visible, make the follow-through consistent.

5. Treat every deviation as a signal, not a failure. Clause 8.3 on nonconforming product and clause 8.5 on CAPA exist because deviations are expected. The question is whether the team hides them or surfaces them. Surfacing is a behavior that has to be rewarded. If the first reaction to a reported deviation is blame, the second reported deviation will be slower and the third will be invisible.

6. Walk the floor, literally or figuratively. In a ten-person team, the founders can and should know every SOP by name, every CAPA by status, and every audit finding by context. In a thirty-person team, the founders should still be reading the management review pack line by line. Distance from the QMS is the fastest way to lose the culture.

7. Make training count, not tick. Clause 6.2 requires competence and training records. Training that happens by clicking through slides at five-to-five on a Friday produces compliant records and zero competence. Replace clickthroughs with short, spaced, interactive sessions tied to actual tasks. Measure competence by what people can do, not by what they have attended.

8. Audit yourself honestly. Clause 8.2.4 requires internal audits. A startup that runs its internal audits to produce clean reports is wasting the exercise. Internal audits are most valuable when they are uncomfortable. Assign an auditor who is willing to write findings, and protect them from the social consequences of doing so.

9. Celebrate quality work publicly. If engineering wins get celebrated and quality wins do not, the team learns what the company values. Publicly recognize the engineer who caught a design flaw early, the technician who flagged a drift, the regulatory lead who pushed back on a claim that was too broad. Culture is built on what gets praised.

Reality Check

  1. If a Notified Body auditor asked three randomly chosen engineers to describe your quality policy, would the three answers be consistent?
  2. Who runs your management review meeting, and are the founders present and engaged throughout?
  3. When was the last time an engineer raised a quality concern, and what happened to it?
  4. In your last three hires, did any interview question specifically probe the candidate's relationship with quality and compliance?
  5. How long does it take, on average, from a reported deviation to a decision about how to handle it?
  6. Are your internal audits producing findings that management takes seriously, or are they producing clean reports?
  7. What proportion of your CAPAs are closed within the timeline you committed to?
  8. If an engineer had to choose between shipping a feature on time and raising a quality concern that would delay it, what would they actually choose, and how do you know?

Frequently Asked Questions

Is culture of quality actually auditable? Not directly, but the symptoms are auditable everywhere. Management review records, CAPA timelines, training effectiveness, internal audit findings, employee interview responses, and the state of document control all produce observable evidence of cultural health. Experienced auditors can read the culture of a company in an afternoon. They may not write "culture" in the report, but the findings they do write reflect it.

Does the founder have to be involved in the QMS, or can we hire a Quality Director? Both. EN ISO 13485 clause 5 places obligations on top management that cannot be fully delegated. You can and should hire a Quality Director to run the system day to day. The founder still has to show up for management review, sign off on the quality policy, participate in resource decisions, and own the strategy for regulatory compliance required by MDR Article 10(9).

How small can a startup be and still have a real quality culture? Three people is not too small. In fact, the habits formed at three people scale much better than habits retrofitted at thirty. The substance is not about team size. It is about what the team considers normal behavior.

What is the most common cultural failure you see in audits? Quality treated as a cost center. Quality lead reports into operations or engineering rather than directly to the CEO. Management review happens because the standard requires it, not because management wants the information. When quality is structurally subordinate, the culture follows the structure.

How do we recover if we already have a poor quality culture? Start with management behavior. Hold a real management review. Make visible decisions based on quality data. Protect the person who raises the first uncomfortable concern. Publicly act on internal audit findings. Culture follows what management does repeatedly, not what management says.

Is this different in software-only MedTech startups? The principle is identical. The implementation differs. Software startups should integrate quality behaviors into the engineering process (code review standards, traceability, release checklists, sprint retrospectives that include quality topics). The risk in software startups is that velocity culture overwhelms quality culture unless quality is explicitly protected.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Article 10(9).
  2. EN ISO 13485:2016+A11:2021, Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 5 Management responsibility, clauses 5.1–5.6.