MDR Article 10(9) requires every manufacturer to run a QMS that covers resource management, and EN ISO 13485:2016+A11:2021 clause 6.2 is the harmonised tool for doing it. Clause 6.2 requires the organisation to determine the necessary competence for every person whose work affects product quality, provide training or other actions to close the gap, evaluate the effectiveness of those actions, ensure awareness of the relevance of individual activities, and maintain records of education, training, skills, and experience. MDR Article 15 then layers a named competence obligation on top: the Person Responsible for Regulatory Compliance must meet the specific qualification criteria in Article 15(1). For a startup, operating clause 6.2 is not about a forty-row competence matrix — it is about one role profile per real seat, one honest record per real person, and one effectiveness check per training that actually happened.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • MDR Article 10(9) names resource management as a mandatory QMS aspect, and EN ISO 13485:2016+A11:2021 clause 6.2 is the harmonised standard's answer for personnel competence.
  • Clause 6.2 requires the organisation to determine, provide, evaluate, ensure awareness, and record — five separate obligations, each checkable at audit.
  • Competence is not the same as qualification. A diploma is an input. Competence is demonstrated ability to do the specific role at the quality the device requires.
  • The four-step competence cycle is: define the competence the role needs, assess the gap for the specific person, close the gap with training or other actions, evaluate whether the gap actually closed.
  • Training records that satisfy clause 6.2 carry a date, a specific content reference, a named assessor, and effectiveness evidence — not just an attendance signature.
  • MDR Article 15 adds a named competence obligation for the PRRC, with minimum qualification criteria set out in Article 15(1) and legal protection from prejudice in Article 15(6).
  • The most common clause 6.2 finding in first audits is training delivered without effectiveness evaluation, closely followed by competence matrices copied from templates and never matched to the actual roles.

Why competence is the clause auditors open first

On a first-certification audit, once the opening meeting ends, the Notified Body auditor tends to do one of two things. They walk into the workspace and start asking who does what. Or they sit down at the QMS terminal and ask for the competence file. In both cases they are opening clause 6.2 before they open anything else, because clause 6.2 is where the paper QMS meets the real organisation. The procedures can be perfect and the device can still be unsafe if the people operating the procedures are not competent to operate them.

A founder we coached a few years ago learned this in the first hour of their Stage 1 audit. The QMS was well written. The technical file was organised. The auditor asked to see the competence record for the software architect — the person signing off the software releases. The file had a CV and nothing else. No role profile. No training on EN 62304:2006+A1:2015. No effectiveness evidence. The auditor wrote the finding within ten minutes and moved on to the next name on the org chart. By the end of the day there were five clause 6.2 findings on five different people, and the rest of the audit was overshadowed by a pattern that took three months and a CAPA to clear.

The pattern is almost universal. Founders spend eighteen months building a clean QMS and zero months building the competence file that clause 6.2 requires. Then the auditor opens the file that nobody curated and finds exactly what is there: not much.

Clause 6.2 — what the requirement actually says

EN ISO 13485:2016+A11:2021 clause 6.2, human resources, is short in words and dense in obligations. Read carefully, it contains five distinct requirements.

Determine the necessary competence. The organisation determines the competence required for each role whose work affects product quality. Competence is defined on four axes: education, training, skills, and experience. The determination happens once per role and is updated when the role changes.

Provide training or take other actions. Where the gap between required competence and actual competence is non-zero, the organisation provides training or takes other actions — supervised work, mentoring, re-assignment, hiring in. Training is one option, not the only option.

Evaluate the effectiveness. This is the requirement most often skipped. The organisation evaluates whether the action taken actually produced the required competence. Effectiveness evaluation is a separate step from training delivery, and the clause is explicit about it.

Ensure awareness. Personnel are aware of the relevance and importance of their activities and how they contribute to the achievement of quality objectives. Awareness is a lighter requirement than competence, and it applies to everyone — not only to the roles directly affecting product quality.

Maintain records. Records of education, training, skills, and experience are maintained. The record is specific to each person, kept current, and retrievable at audit.

Each of the five is checkable. A Notified Body auditor going through a competence file is looking for all five, for every person whose work affects product quality. Missing any one of them is a finding.

Competence vs qualification — the distinction that trips up founders

Founders often use the two words interchangeably, and the confusion causes real trouble in audit preparation. They are not the same.

Qualification is an input. A degree, a certificate, a diploma, a training completion record — the credentials a person brings into the role. Qualifications are evidence that a person has been exposed to a body of knowledge or practice. They do not, on their own, prove that the person can operate the role.

Competence is an output. It is the demonstrated ability to do the specific work at the quality the role requires. A person is competent for a role when they can perform the role's tasks correctly and consistently, as judged by a qualified assessor, on the evidence of actual work done.

Clause 6.2 asks for both. Education, training, skills, and experience are all named. But the clause is framed around competence, not qualifications — and the effectiveness requirement makes the distinction concrete. A training certificate is delivery. A practical sign-off after the trained person actually did the work is effectiveness. Qualifications get a person to the starting line. Competence is what crosses it.

For a software engineer on a Class IIa SaMD, the qualification might be a computer science degree plus a completed EN 62304:2006+A1:2015 training. The competence is the demonstrated ability to write, test, and release software in the company's specific lifecycle, under the company's specific risk controls, to the company's specific coding standard. Two engineers with identical qualifications can be competent or not for the same role. The file has to capture which one.

Defining competence per role — the role profile

The starting point for clause 6.2 is a role profile for every role whose work affects product quality. The profile is short — half a page at most — and states four things.

Required education. The minimum educational background the role needs. Degree, vocational qualification, or equivalent experience where the standard allows. "Equivalent experience" is acceptable in EN ISO 13485:2016+A11:2021, but the equivalence has to be documented, not assumed.

Required training. The specific trainings a person in this role must complete. Company SOPs relevant to the seat. Harmonised standards the role touches — EN 62304:2006+A1:2015 for software, EN ISO 14971:2019+A11:2021 for risk management, EN 62366-1:2015+A1:2020 for usability, and so on. Regulatory training covering the MDR articles and MDCG guidance documents the role depends on.

Required skills. The practical abilities the role requires. Not just "can code" but "can write unit tests that cover the risk-relevant paths in the product's coding standard." The skills line is where the role profile stops being generic and starts being about this company's device.

Required experience. The minimum relevant experience, expressed honestly. For a fresh graduate in a supervised seat, it may be zero years with mandatory mentorship. For a PRRC under MDR Article 15(1), it is set by the regulation itself.

The trap founders fall into is copying a forty-role profile from a consultant template into a twelve-person company. The auditor reads it, asks to meet the Head of Sterilisation Validation, and there is nobody. That is a finding for inaccurate competence management, and it is a worse starting point than having no profiles at all. Every role in the profile list has to map to a real seat in the real company. If the seat does not exist yet, the profile does not exist yet either. Write the profile when the seat is created.

The four-step competence cycle

Once role profiles exist, clause 6.2 runs as a four-step cycle for every person in every seat. The cycle repeats when the role changes, the procedure changes, the standard updates, or the person moves.

Step 1 — Define. The role profile defines the competence the seat requires. This step happens once per role and is re-visited when the role evolves.

Step 2 — Assess. For each person in the seat, a gap analysis compares the person's current education, training, skills, and experience against the role profile. The gap analysis is written, dated, and signed by a qualified assessor — usually the quality and regulatory lead or the direct manager with quality sign-off.

Step 3 — Close. The gap is closed. Training is one option. Supervised work is another. Mentorship, shadowing, a structured probationary period with defined milestones — all are legitimate under the clause, provided they produce the required competence and are documented.

Step 4 — Evaluate. The effectiveness of the closing action is evaluated. This is the step that makes clause 6.2 real. Evaluation can be an exit check after training, a supervised task sign-off, a peer review of work done, an internal audit the person passed, a specific deliverable the person completed correctly. It has to be specific to the person and the action, and it has to be in the file.

The four-step cycle is the operating model clause 6.2 expects. Everything in the competence file should trace to one of the four steps. Anything that does not trace to a step is decorative and should come out.

Training records — what a good one contains

A training record that passes a Notified Body audit is not a PowerPoint attendance sheet. It is a structured entry in a person-specific competence file, with seven elements.

First, the person's name and role. Second, the date the training was delivered. Third, the specific content — the name of the procedure trained, the version of the procedure, the name of the standard section, or the name of the regulatory topic. "Intended purpose training" is not specific enough; "SOP-REG-003 v1.4 intended purpose determination procedure" is. Fourth, the name and qualification of the trainer — internal or external. Fifth, the delivery method — classroom, workshop, e-learning, one-on-one. Sixth, the effectiveness evidence — the exit check, the practical task, the supervised sign-off, whatever specifically shows the content landed. Seventh, the signature of the assessor confirming the training was effective.

The trap is to capture elements one through five and skip six and seven. A training record without effectiveness evidence is a delivery record, not a training record in the sense clause 6.2 requires. And the record has to be version-controlled: when the procedure is revised, the training from the old version does not transfer to the new version. Re-training is needed, and the re-training is captured as its own entry in the file.

See the companion post on training your development team on MDR for the curriculum side of this — what to actually teach, not just how to record it.

The PRRC competence requirement under MDR Article 15

On top of clause 6.2's general competence obligation, MDR Article 15 places a named competence requirement on the Person Responsible for Regulatory Compliance. The manufacturer shall have available within its organisation at least one person responsible for regulatory compliance who possesses the requisite expertise in the field of medical devices. (Regulation (EU) 2017/745, Article 15, paragraph 1.)

Article 15(1) then sets out the minimum qualification criteria. The expertise can be demonstrated by either a diploma, certificate, or other evidence of formal qualification in a relevant discipline (law, medicine, pharmacy, engineering, or another relevant scientific discipline) plus at least one year of professional experience in regulatory affairs or in quality management systems relating to medical devices, or by four years of professional experience in regulatory affairs or in quality management systems relating to medical devices. For micro and small enterprises, Article 15(2) allows the PRRC to be available on a permanent and continuous basis through a contracted external person, rather than in-house, subject to the same qualification criteria.

Article 15(6) gives the PRRC legal protection: they shall suffer no disadvantage within the manufacturer's organisation in relation to the proper fulfilment of their duties, regardless of whether they are employees of the organisation. This is not a decorative clause — it is a structural protection that allows the PRRC to refuse release of a non-compliant device without losing their job.

For clause 6.2 purposes, the PRRC's competence file has to do three things the file for an ordinary role does not. It has to carry the specific Article 15(1) evidence — the formal qualification plus the years of experience, or the four years of experience alone, with supporting documentation. It has to show the PRRC has been trained on the specific tasks listed in Article 15(3) — conformity check before release, technical documentation, PMS, vigilance reporting, and investigational device statements. And it has to show the organisation understands Article 15(6) and has not structured any incentive or reporting line that would prejudice the PRRC's independence. See the dedicated post on the PRRC under MDR Article 15 for the full mechanics of the role.

Common mistakes startups make

  • The copied competence matrix. A forty-row template dropped into a twelve-person company. Most rows are aspirational. The auditor asks for the people and they do not exist.
  • Qualifications captured, competence not. The CV is on file, the diploma is scanned, nothing shows the person can actually do the role at the depth the device requires.
  • Training delivered without effectiveness evaluation. The attendance sheet is signed, the slides are in the folder, no exit check, no practical sign-off, no evidence the content landed. Direct non-conformity to clause 6.2.
  • Procedures revised, training not refreshed. The SOP moved from v1.3 to v1.4 six months ago. Nobody was re-trained. The audit finds the gap by comparing the version in the training record to the current version.
  • PRRC without Article 15(1) evidence. A PRRC is named on the QMS org chart, the Article 15(1) qualification evidence is absent or ambiguous, and the organisation cannot demonstrate the minimum experience or qualification on demand.
  • Competence files opened retroactively. The files are assembled three weeks before the audit, backdated where possible, thin where not. Experienced auditors recognise the pattern by the uniformity of the dates and the absence of routine updates.

The Subtract to Ship angle

Clause 6.2 is a place where founders either over-build and under-maintain, or under-build and hope. Both fail. The Subtract to Ship approach is to build one role profile per seat that actually exists, one honest gap analysis per person in the seat, one training or action that actually closes the gap, and one effectiveness check that actually demonstrates the gap closed.

Keep: role profiles for the seats the company has right now. Gap analyses for the people in those seats. Training records with real dates, specific content references, and effectiveness evidence. A PRRC file that carries the Article 15(1) evidence cleanly. A version-control habit that catches procedure changes and triggers re-training.

Cut: empty rows in the matrix for seats that do not exist. Training modules that repeat content nobody applies. Certificate collections with no effectiveness link. Generic "training evaluated by management" statements that do not reference a specific person or a specific training. Re-used competence files copied from one person to another.

The test is the same as every clause. For every artefact in the competence file, does it trace to one of the five clause 6.2 obligations and describe something real about a real person? If yes, it stays. If no, it comes out. Proportionate to the risk class and the real organisation, not to the consultant's template.

Reality Check — Where do you stand?

  1. For every role on your org chart that affects product quality, is there a half-page role profile covering required education, training, skills, and experience, and does every profile map to a seat that actually exists?
  2. For every person in each seat, is there a written, dated gap analysis comparing the person against the profile, signed by a qualified assessor?
  3. For every training delivered in the last twelve months, is the effectiveness evidence specific — an exit check, a supervised task, a peer review — and tied to the named person?
  4. When a procedure in your QMS is revised, does your process automatically flag affected personnel for re-training, and is the re-training captured in the competence file with the new procedure version?
  5. Does your PRRC's file carry the specific Article 15(1) evidence (formal qualification plus one year, or four years of experience), and has the organisation documented that Article 15(6) protection is understood?
  6. If a Notified Body auditor opened the competence file for three randomly named people tomorrow, would the file answer the question "how do you know this person is competent for this role?" without improvisation?
  7. When did you last review the competence file as a whole — role profiles, gap analyses, training records — as part of management review, or is clause 6.2 a silent section in your review cycle?

Any "not yet" is where the next hour of work goes.

Frequently Asked Questions

What does EN ISO 13485 clause 6.2 require for personnel competence? Clause 6.2 requires the organisation to determine the necessary competence for personnel performing work affecting product quality, provide training or take other actions to close the gap, evaluate the effectiveness of those actions, ensure personnel are aware of the relevance of their activities, and maintain records of education, training, skills, and experience. Five distinct obligations, each checkable at audit.

Is a CV or diploma enough to demonstrate competence under clause 6.2? No. A CV and a diploma are qualifications — inputs to competence. Clause 6.2 asks for competence, which is the demonstrated ability to do the specific role at the required quality. The file has to carry the qualification evidence plus the training, skills evidence, and effectiveness evaluation that together show the person can actually operate the seat.

What counts as training effectiveness evidence under clause 6.2? A post-training exit check that the person passed. A short supervised task completed under observation. A peer review of work the person then produced. An internal audit the person passed. A signed probationary sign-off tied to specific deliverables. What does not count is a signed attendance sheet or a generic statement that training is evaluated by management.

What are the MDR Article 15 competence requirements for the PRRC? Article 15(1) requires the PRRC to hold either a formal qualification (diploma or certificate) in law, medicine, pharmacy, engineering, or another relevant scientific discipline plus at least one year of professional experience in regulatory affairs or QMS for medical devices, or four years of professional experience in regulatory affairs or QMS for medical devices. Article 15(6) protects the PRRC from prejudice in the organisation.

Do we need a role profile for every person, or for every role? For every role. One profile per role defines the competence the seat requires. Each person in that seat is then compared against the single profile through an individual gap analysis. Two people in the same role share one profile but have two separate gap analyses and two separate competence files.

How often should the competence file be updated? Whenever something changes. A new hire opens a new file. A procedure revision triggers a re-training entry. A standard update triggers a training cycle for the affected roles. A role change triggers a new gap analysis. Management review should touch the competence file as a routine agenda item, not as an emergency before an audit.

Can an external consultant be our PRRC? Only if the company qualifies as a micro or small enterprise under the definition referenced in MDR Article 15(2), in which case the PRRC can be available on a permanent and continuous basis through a contracted external person. The Article 15(1) qualification criteria still apply, and the contracted PRRC needs the same competence file as an in-house PRRC, with the contractual arrangement documented.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers), including paragraph 9 on resource management as a mandatory QMS aspect, and Article 15 (person responsible for regulatory compliance), including paragraphs 1, 2, 3, and 6 on qualification criteria, micro and small enterprise provisions, specific tasks, and protection from prejudice. Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 6.2 (human resources), including determination of competence, provision of training or other actions, evaluation of effectiveness, ensuring awareness, and maintenance of records of education, training, skills, and experience.

This post is a deep dive within the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. A competence file is not a folder of diplomas and attendance sheets — it is the honest record of how the company knows each person in each seat can do the work the device requires, and it is the clause a Notified Body auditor is going to open first.