Big MedTech companies are excellent at three things worth copying. Regulatory rigor, clinical evidence, and post-market surveillance. And terrible at three things worth avoiding. Committee ceremony, paperwork inflation, and change-control paralysis. A startup keeps the rigor and skips the rest. That is Subtract to Ship applied to organisational design.

By Tibor Zechmeister and Felix Lenhard.

TL;DR

  • Incumbents are genuinely good at regulatory rigor, clinical evidence discipline, and post-market surveillance infrastructure. Copy these.
  • Incumbents are bad at speed, proportionality, and decision-making. Do not copy these.
  • The test for whether a process is worth keeping is simple: does it trace to an MDR obligation or does it exist because someone wrote a procedure once and nobody has killed it?
  • A startup can build a fully compliant QMS under EN ISO 13485:2016+A11:2021 with roughly one tenth of the procedures most incumbents run, and still pass the same audits.
  • The Subtract to Ship discipline is to inherit the rigor and subtract the ceremony. What you remove is how you ship.

Why this matters

Every MedTech founder who has worked at Medtronic, Philips, Siemens Healthineers, or Roche brings something valuable: a visceral understanding of what "proper" looks like. They know what a CER should read like. They know what a risk management file should contain. They know what a post-market surveillance system looks like when it is working.

They also bring baggage. They remember the 40-person design review committees, the 60-day document approval cycles, the change controls that took a quarter to close, the procedures written for procedures. And in the panic of early MedTech life, they often recreate the baggage alongside the rigor. Because it all felt normal at the big company.

This post is about separating the two. What to keep. What to leave behind. Why the difference matters.

What MDR actually says about process

The MDR is surprisingly quiet on process design. It tells you what you must achieve, not how to achieve it:

  • Article 10 lists manufacturer obligations. QMS, technical documentation, risk management, clinical evaluation, PMS, vigilance.
  • Article 10(9) requires a QMS that "ensures compliance with this Regulation" and references the elements such processes must address. It does not prescribe how many SOPs you must have or how many signatures each document requires.
  • Article 83 requires a PMS system "proportionate to the risk class and appropriate for the type of device." The word "proportionate" is load-bearing. It appears repeatedly in the MDR.
  • Annex I lists the General Safety and Performance Requirements. Achieving them is mandatory. How you achieve them is your design decision.

Nowhere does the MDR mandate a 40-person design review committee. Nowhere does it require a 60-day document approval cycle. Those are inherited cultural artefacts, not legal requirements. EN ISO 13485:2016+A11:2021 similarly specifies what the QMS must do, not the organisational theatre around it.

This is the founding insight: the rigor is mandatory, the ceremony is optional.

A worked example: design reviews at scale and at startup

At a large incumbent, a design review for a Class IIb device might look like this: 14 attendees including clinical, regulatory, QA, R&D, manufacturing, marketing, post-market surveillance, legal, and a chair. Pre-read circulated five business days in advance. Meeting runs 90 minutes. Minutes drafted within 48 hours, circulated for correction, signed electronically, filed in the eQMS. Total elapsed time from scheduling to closure: two to three weeks. Total cost in loaded person-hours: high four figures in euros.

At a six-person startup with the same Class IIb device, the same design review can look like this: four attendees. CTO, regulatory lead, clinical advisor, quality lead. Pre-read circulated the day before (or less). Meeting runs 45 minutes. Decisions captured live in a shared document, signed the same day, filed in a lightweight eQMS. Total elapsed time: one day. Total cost: a few hundred euros of person-time.

Is the startup version non-compliant? No. EN ISO 13485 requires that design reviews be documented, that the participants be competent, and that the results and follow-up actions be recorded. Both versions satisfy the standard. The difference is that the startup removed the ceremony that had nothing to do with the standard.

The test to apply: for every element of the incumbent's process, ask "which clause of EN ISO 13485 or which article of the MDR requires this?" If the answer is "none. It was just how we did it," that element is ceremony. Subtract it.

What is actually worth copying from incumbents

Not everything incumbents do is bloat. Some of it is genuinely hard-won and worth inheriting.

Regulatory rigor as a default. Incumbents take regulatory obligations seriously at every level, from the junior engineer to the CEO. Nobody shrugs off a GSPR. Nobody hopes an auditor will miss something. That cultural default is worth copying on day one. Founders who grew up in SaaS often miss this and pay for it at their first Notified Body audit.

Clinical evidence discipline. Incumbents build clinical evaluation plans before they build products. They understand that the CER is not an afterthought. They appraise evidence systematically. They do literature searches with protocols. Copy this completely.

Post-market surveillance as a real system. Big MedTech runs PMS as a live operational function. Trend analysis, complaint triage, periodic review, feedback loops into risk management and clinical evaluation. Startups treat PMS as a binder they will assemble later. Copy the incumbent model here, proportionately.

Supplier controls. Incumbents know that an unqualified supplier is a time bomb. They have real qualification processes, real audits, real agreements. Startups often skip this and get burned at the Stage 2 audit.

Risk management as a live discipline. The risk file is not a document; it is a process. Incumbents update it whenever anything changes. Copy this.

What to leave behind

Committee ceremony. Meetings that exist because they always have, with 15 attendees and a pre-read nobody reads. Replace with small, focused reviews with the minimum competent attendees.

Paperwork inflation. Procedures that reference other procedures that reference templates that reference forms. If you cannot trace a document to an MDR clause or an ISO requirement, ask why it exists.

Change control paralysis. At incumbents, a minor software change might take 90 days to get through change control. At a startup, the same change should take a day or two without sacrificing traceability. The ISO requirement is that changes be controlled, reviewed, and documented. Not that they be slow.

Sign-off inflation. Six signatures on a document where one would legally suffice. The MDR and ISO 13485 require competent approval. They do not require seven people.

Parallel systems. Incumbents often run the QMS, the project management system, the document management system, the training system, and the CAPA system in five different tools that do not talk to each other. A startup can run all of this in two or three tools with dramatically better coherence.

Procedures written in the passive voice to sound important. If nobody on the team can summarise what a procedure requires, it is not a procedure. It is decoration.

The Subtract to Ship playbook

Apply this sequence when you are setting up a process and tempted to copy something from an incumbent.

Step 1. Write down the MDR or ISO requirement the process must satisfy. In one sentence. If you cannot, do not build the process.

Step 2. Draft the smallest possible process that satisfies the requirement. Not the most elegant, not the most impressive to an auditor. The smallest.

Step 3. Test it against a real scenario. Run it on a current decision. Does it produce a compliant, traceable outcome? If yes, ship it.

Step 4. Resist the urge to add ceremony. When someone says "but at my last company we also did X," ask "which clause required X?" If the answer is none, do not add X.

Step 5. Revisit every six months. Processes accumulate cruft. Delete what is not pulling its weight.

This is the Subtract to Ship discipline applied to organisational design. The rigor is non-negotiable. The ceremony is negotiable. Most founders get this backwards.

Reality Check

  1. Can every process in your QMS be traced to a specific MDR article or EN ISO 13485 clause?
  2. Do your design reviews include only the competent people who need to be there, or are they full of observers?
  3. How long does a document take to go from draft to approved in your company? If it is more than a week, why?
  4. Is your risk management file a living process or a PDF that was signed once and forgotten?
  5. Is your PMS a real operational system, or a binder waiting for the next audit?
  6. Are you copying incumbent processes because they are required, or because they feel safe?
  7. When you catch a ceremonial process, do you kill it. Or do you leave it because it looks professional?

Frequently Asked Questions

Is a lean QMS actually auditable? Yes. Notified Body auditors are trained to assess compliance against EN ISO 13485 and the MDR, not against incumbent norms. A lean QMS that satisfies the clauses passes.

What happens if my investor expects incumbent-style processes? Educate the investor. The regulation is public. You can show them the specific clauses your lean processes satisfy. Most MedTech-literate investors understand proportionality; the ones who do not are a bad fit.

Do auditors really accept small design review meetings? Yes, if the review is documented, the participants are competent, and the actions are tracked. That is what the standard requires.

What is the biggest failure mode when copying incumbents? Copying the ceremony without the competence. A 40-person design review with no regulatory expertise in the room is worse than a four-person review with the right people.

When should I add more process? When you hit a real problem. A nonconformity, a customer complaint pattern, a near-miss. That your current process did not catch. Then add only the process that addresses that specific gap.

Is Subtract to Ship just about being cheap? No. It is about being proportionate. A Class III implantable startup should have more process than a Class I general wellness-adjacent device. Subtract to Ship means matching process to risk, not minimising it for its own sake.

Sources

  1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 10, 83, Annex I.
  2. EN ISO 13485:2016+A11:2021. Medical devices QMS requirements.
  3. EN ISO 14971:2019+A11:2021. Application of risk management to medical devices.