--- title: Knowledge Management in MedTech Startups: Retaining Regulatory Know-How description: How MedTech startups retain regulatory know-how, reduce key-person risk, and turn documentation into a knowledge asset auditors trust. authors: Tibor Zechmeister, Felix Lenhard category: Team Building, Operations & Scaling primary_keyword: knowledge management MedTech startup regulatory canonical_url: https://zechmeister-solutions.com/en/blog/knowledge-management-medtech-startups source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Knowledge Management in MedTech Startups: Retaining Regulatory Know-How *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Knowledge management in a MedTech startup is the deliberate practice of turning individual know-how into institutional assets the company owns. Under EN ISO 13485:2016+A11:2021 clauses 4.2 and 6.2, and MDR Article 10, the manufacturer, not any individual employee, carries the regulatory obligation. If the knowledge walks out the door, the obligation stays behind.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - Under MDR Article 10, the manufacturer is accountable for conformity, not the individual who wrote the document. - EN ISO 13485:2016+A11:2021 clause 4.2 treats documentation as the primary medium of institutional knowledge, not bureaucratic overhead. - Clause 6.2 requires documented competence and training records for everyone whose work affects product quality. - Key-person risk is the most common hidden fragility in early-stage MedTech QMS systems. - A startup that cannot reconstruct a classification decision, a risk rationale, or a software requirement from its own records has a knowledge gap, not a paperwork gap. - Good knowledge management is the cheapest insurance a founder can buy against departures, audits, and investor due diligence. ## Why this matters Every MedTech startup runs on tribal knowledge in its first two years. The CTO remembers why the motor current limit was set to 1.8 A. The regulatory lead remembers which MDCG clarification pushed the classification from Class IIa to Class IIb. The clinical lead remembers why the literature search excluded three obvious papers. None of it is written down properly. And then someone leaves. That is the moment a startup discovers whether it has a knowledge management system or just a group of smart people who happen to work in the same room. The answer matters because under MDR Article 10, the manufacturer, a legal entity, bears the regulatory obligations for the device. Not the founder. Not the regulatory lead. Not the contractor who wrote the Clinical Evaluation Plan. The company. If the company cannot, on a Tuesday morning, open a folder and show an auditor why a design decision was made, the company has a finding. It does not matter that the engineer who made the decision was brilliant. It does not matter that the logic was sound. The manufacturer has to be able to demonstrate it, on its own, from its own records. That is what knowledge management in a regulated environment actually means. ## What MDR and EN ISO 13485 actually say MDR Article 10 sets the general obligations of manufacturers. Among them: establish, document, implement, maintain, keep up to date, and continually improve a quality management system that ensures compliance with the Regulation in the most effective manner. Article 10(9) requires the QMS to address, among other things, resource management including selection and control of suppliers, and the strategy for regulatory compliance. The legal subject of every one of those verbs is the manufacturer, not an employee. EN ISO 13485:2016+A11:2021 gives the operational form: **Clause 4.2 Documentation requirements.** The QMS documentation shall include documented statements of quality policy and objectives, a quality manual, documented procedures and records required by the standard, and documents including records determined by the organization to be necessary to ensure the effective planning, operation, and control of its processes. Clause 4.2.4 requires control of records, and 4.2.5 requires records to be retained for the lifetime of the device, and in any case not less than two years from the date the device is placed on the market, unless longer periods are specified elsewhere. **Clause 6.2 Human resources.** Personnel performing work affecting product quality shall be competent on the basis of appropriate education, training, skills, and experience. The organization shall document the process for establishing competence, providing needed training, and ensuring awareness of personnel. Records of education, training, skills, and experience shall be maintained. Read those two clauses in sequence and the standard is telling you something specific. Documentation is the external, inspectable form of institutional knowledge. Competence is the internal form. The standard requires both, because either one alone is insufficient. A trained person who never writes anything down is a risk. A filing cabinet full of procedures no one understands is also a risk. Translated to startup reality: documentation is not a checkbox. It is the medium through which the company retains what it learns. If the medium is poor, the company forgets faster than it learns. ## A worked example A Class IIa wearable startup we will call NovaPulse has eight people. Their regulatory lead, Marta, joined eighteen months ago as employee number three. She ran the classification exercise, wrote the Clinical Evaluation Plan, picked the harmonized standards, drafted the Declaration of Conformity approach, and negotiated with the Notified Body. She holds the full regulatory picture in her head. Her documentation situation: a classification justification that is three paragraphs long, a gap analysis in a spreadsheet no one else has opened in ten months, a Clinical Evaluation Plan that references MDCG documents by name but not by revision, a risk file that cross-references design decisions Marta made but whose rationale lives only in Slack threads from Q2. Technically, files exist. Practically, the knowledge lives in Marta. Marta gets recruited by a larger competitor. She gives four weeks notice. Under MDR Article 10, NovaPulse still has to maintain its QMS, still has to keep its technical documentation current, still has to respond to the next unannounced audit, still has to run PMS activities. The obligation did not travel with Marta. The capacity to discharge it might have. What NovaPulse needs to recover, from its own records, in the four-week window: the rationale behind the classification choice, the logic of the harmonized standards selection, the assumptions underlying the clinical evaluation strategy, the open issues with the Notified Body, the status of every CAPA in flight, the competence mapping for every role, and the training history for every engineer on the team. If those exist only in Marta's head, the company has a knowledge debt that cannot be paid off in four weeks. If they exist in readable documents with named owners and version histories, the handover is a two-day exercise. This is not a hypothetical. This is the single most common failure mode we see in early-stage MedTech. And it is entirely preventable if documentation is treated as a knowledge medium from day one. ## The Subtract to Ship playbook Knowledge management in a small MedTech team is not about installing expensive platforms. It is about a small number of disciplined habits that make documentation carry the knowledge the company actually depends on. **1. Write the "why" in the same document as the "what".** Clause 4.2 requires records. Records that describe what was decided without capturing why were decided have half the information value. When you write a classification justification, include the alternative classifications you considered and why you rejected them. When you pick a harmonized standard, note the alternatives and the reason for the choice. This is how a new person reads the document six months later and actually understands. **2. Every document has a single named owner.** Not a team. A person. Under clause 4.2.3 document control, ownership is what makes updates happen. Under clause 6.2, the owner must be competent for the role. Map owners explicitly. When a person leaves, reassign ownership in writing before the last day. **3. The competence matrix is a live document, not a once-a-year exercise.** Clause 6.2.2 requires records of education, training, skills, and experience. A spreadsheet mapping every role to required competencies and every person to evidence against those competencies is the cheapest form of insurance against key-person departures. Update it when people join, when people leave, when roles change, and before every audit. **4. Decisions live in decision logs, not in chat.** Slack and Teams are not QMS records. They lose fidelity, they are hard to export, and they are invisible to an auditor. When a regulatory, clinical, or design decision is made, the decision, the context, the alternatives considered, and the rationale go into a dated, versioned document. Link to it from the downstream artifacts it affects. **5. Run a "bus test" quarterly.** Pick one critical function. Ask: if the person who owns this function left tomorrow, could someone else pick up the work from the documentation alone? If the answer is no, you have a knowledge debt. Treat it like a CAPA. Assign an owner. Close it. **6. Onboarding is a knowledge audit.** New hires should be able to read themselves into their role from existing documentation. Every time a new hire asks a question that cannot be answered from documents, that question is telling you where the knowledge gap is. Log those questions. They are free diagnostics. **7. Treat transitions as planned events, not crises.** When someone gives notice, the first week of the notice period is for knowledge transfer that updates documents, not for Slack conversations. Record the transfer against the competence matrix. The successor signs off that the handover documentation is complete. **8. Keep the documentation set small enough to actually maintain.** This is the Subtract to Ship discipline applied to knowledge management. Twenty living, current, well-owned documents beat eighty stale ones. Before adding a new SOP, ask whether an existing one can be extended instead. Clause 4.2.1 tells you to document what is necessary for effective planning, operation, and control. It does not tell you to document everything. ## Reality Check 1. If your regulatory lead left tomorrow, could you reconstruct your classification rationale from documentation alone? 2. For every SOP in your QMS, can you name the owner and the date of the last review within thirty seconds? 3. Do your decision logs capture alternatives considered, or only the choice that was made? 4. Does your competence matrix have a row for every person on the team and a column for every skill your QMS depends on? 5. Can a new hire in a regulatory role read themselves into the job from documents alone, or does onboarding require tribal knowledge? 6. When was the last time you ran a deliberate "bus test" on any critical function? 7. Are your meaningful regulatory discussions happening in dated, versioned documents or in Slack threads? 8. If your Notified Body asked for the rationale behind a harmonized standards selection made eighteen months ago, could you produce it in an afternoon? ## Frequently Asked Questions **Does EN ISO 13485 actually require a competence matrix?** The standard requires, in clause 6.2.2, that the organization determine necessary competence, provide training or take other actions, evaluate effectiveness, ensure awareness of personnel, and maintain records. A competence matrix is the most common and practical way to satisfy those requirements in a small team. It is not the only way, but it is the one auditors recognize fastest. **How long do we have to keep records?** EN ISO 13485:2016+A11:2021 clause 4.2.5 requires retention for the lifetime of the medical device as defined by the organization, but not less than two years from the date the device is released for distribution by the organization. Other regulations may impose longer periods. Check your specific device class and market obligations. **Is a wiki enough, or do we need a formal document management system?** Either can satisfy clause 4.2.3 document control, provided the system enforces approval, version control, identification of current versions, prevention of use of obsolete versions, and legibility. Many early-stage startups start on a wiki and migrate to a formal eQMS as complexity grows. What matters is that the chosen system actually delivers those controls in practice. **We are three people. Is this overkill?** No. At three people the knowledge management problem is easier to solve and cheaper to maintain than at thirty. The habits formed at three scale. The habits not formed at three become debt at thirty. **What is the single biggest knowledge management failure auditors find?** Undocumented rationale. The artifact exists. The decision is visible. The reason is not. An auditor reading the file cannot tell whether the decision was sound or arbitrary. That is a finding under clauses 4.2 and 7.3 together, and it is entirely preventable. **Can we outsource regulatory work and still meet these obligations?** Yes, with care. Outsourcing does not transfer the MDR Article 10 obligation. The manufacturer remains accountable. Contracts must be clear, deliverables must include the rationale not just the output, and internal competence must be sufficient to evaluate what the contractor delivers. Otherwise you have replaced key-person risk with key-supplier risk. ## Related reading - [MDR competence requirements and ISO 13485](/blog/mdr-competence-requirements-iso-13485) — how clause 6.2 applies to small teams - [Training and development for your MDR team](/blog/training-development-team-mdr) — building the training side of the knowledge equation - [Building a QA and RA team in a startup](/blog/building-qa-ra-quality-team-startup) — team design that reduces key-person risk - [Document control for startups](/blog/document-control-startup) — the mechanics behind clause 4.2.3 - [Qualification gap analysis for MedTech startups](/blog/qualification-gap-analysis-medtech-startups) — mapping skills to MDR obligations ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Article 10. 2. EN ISO 13485:2016+A11:2021, Medical devices — Quality management systems — Requirements for regulatory purposes. Clauses 4.2, 6.2. --- *This post is part of the [Team Building, Operations & Scaling](https://zechmeister-solutions.com/en/blog/category/team-operations) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*