Scaling a MedTech startup from 3 people to 30 is where most teams break their Quality Management System. The operations playbook that survives the transition treats three company sizes — 3, 10, and 30 — as distinct operating models, each with its own document control, training, communication, and audit rhythm. At 3 people operations are informal, cross-functional, and founder-led. At 10 people processes get formalised, the first dedicated QA/RA person comes in, and the first internal audit runs. At 30 people functions separate, management review becomes a real quarterly forum, and post-market surveillance and vigilance scale into their own capability. Every transition breaks something; the playbook is knowing which things to break on purpose and which things to protect.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • A MedTech startup operations playbook is not one operating model — it is three, tied to company size: 3 people, 10 people, and 30 people. Each has its own QMS rhythm, document control approach, training cadence, and communication pattern.
  • At 3 people the operations work is founder-led and cross-functional. The QMS exists, but the formal procedures are light; everybody does everything. The risk is not under-process — it is losing traceability of the decisions that will matter two years later at the first Notified Body audit.
  • At 10 people the first dedicated QA/RA hire lands. Procedures get written for real. The first internal audit runs. This is the most fragile transition — processes that lived in people's heads now have to live in documents, and the document control system has to actually work.
  • At 30 people functions separate. Management review becomes a real quarterly forum with evidence, not a rubber stamp. Post-market surveillance and vigilance need their own owners. The CEO stops running operations and starts governing them.
  • The transitions that break things are document control, training, and communication — in that order. A scaling QMS fails at these three layers before it fails anywhere else.
  • Subtract to Ship applied to operations means: do not add a process until the work fails without it, do not add a document until the decision needs to be traceable for an external reader, and do not promote an informal practice into a procedure until it has actually stabilised.
  • The operations rigour required by MDR Article 10 and EN ISO 13485:2016+A11:2021 is not a function of company size — a 3-person company carries the same legal obligations as a 300-person company. The playbook is about how those obligations are met at each scale without collapsing under their own weight.

Why this matters for your startup

A founder Felix coached had built a team of eight and was stuck. The product was not shipping. The founder had assumed the problem was the product, or the market, or the fundraise. It was none of those. The problem was that the company had grown from 3 people to 8 people without any of its operations growing with it. Everything still routed through the founder. The QMS documents still lived in the founder's head. The engineering decisions still went through the founder's inbox. The regulatory questions still piled up on the founder's desk. The team had learned — correctly — that nothing moved without the founder, so they stopped trying to move anything themselves.

Felix's recommendation was hard. Rebuild the team first, then the product. The founder did exactly that. Replaced the team. Re-engineered the product. The silent rebuild worked, but it cost a year and a significant amount of capital, and the whole thing could have been avoided if the company had treated the transition from 3 people to 10 people as a real operating-model change rather than "just more headcount."

This is the pattern. Almost every scaling failure we see in MedTech startups is not a team failure and not a product failure. It is an operations failure — specifically, a failure to recognise that the operating model at 3 people cannot survive at 10 people, and the model at 10 people cannot survive at 30 people. The work of scaling is not adding people. It is changing how the people you have work together, and then adding more people into the new model.

MDR makes this harder than in a normal startup. The regulation does not care that you are small. MDR Article 10 places the obligations of a manufacturer on the legal entity, and EN ISO 13485:2016+A11:2021 requires a QMS with real management responsibility, real document control, real training records, real internal audits, and real management review. Those obligations do not shrink because your team is three people, and they do not automatically grow because your team is thirty. You have to grow the operations model on purpose.

This is the playbook for doing that.

The 3-person stage: informal, cross-functional, founder-led

At 3 people — usually two or three co-founders — the operating model is informal by necessity. Everybody does everything. The CEO writes intended purpose in the morning, debugs firmware in the afternoon, and answers an investor email at midnight. The CTO is also the quality-and-regulatory lead, or the quality-and-regulatory lead is a fractional external person working closely with the co-founders. See The MedTech Startup Team: Key Roles You Need Before and After CE Marking for the minimum viable seat map.

At this stage the QMS exists — it has to, because MDR Article 10(9) requires manufacturers to establish, document, implement, maintain, keep up to date, and continually improve a quality management system — but it is deliberately light. A small number of real procedures that cover the work actually happening. A design and development file that is being built as the device is built. A document control system that could be as simple as a well-structured folder with a changelog, provided there is actual discipline behind it. A risk management file that is current. An intended purpose document that everybody on the team can recite.

The risk at 3 people is not under-process. It is losing traceability of the decisions that will matter two years later. Every classification call, every intended purpose refinement, every scope decision about what is and is not part of the device, every architectural choice that later constrains the regulatory path — these are the decisions a Notified Body will ask about at audit. If they were made in a Slack DM between two co-founders and never written down, they are gone. The founder's memory is not an audit trail.

The Subtract to Ship discipline at 3 people looks like this. Write down the decisions that will be questioned later, not the decisions that are obvious today. Keep the procedures to the real work. Do not build a document tree that mimics a 300-person company because a template told you to — that is the "Berlin template QMS" failure mode we describe in Building a Lean QMS for MedTech Startups. Build the QMS around the work that is actually happening, and let the work lead the documents rather than the documents leading the work.

What protects this stage is the fact that communication is automatic. Three people in a room do not need a communication process; they need a table. Training is automatic because everybody learns everything. Document control is tractable because the total document count is small enough to hold in one head. The operating model works because the company is small enough to run on context.

None of that survives the next stage.

The 10-person stage: formalising processes, first dedicated QA/RA, first internal audit

Somewhere between 6 and 12 people the 3-person operating model snaps. The symptoms are always the same. The founder is the bottleneck for every decision. New hires do not know how things work because the "how things work" lives in the founders' heads. The QMS documents that were light and real at 3 people are now light and stale — they no longer describe what the company actually does, which means every audit is a falsification risk. Engineering decisions start going through without regulatory review because the regulatory reviewer is drowning in everything else.

This is the transition where the operations playbook has to change on purpose.

First dedicated QA/RA hire. By 10 people the quality-and-regulatory lead seat has to be internal and usually full-time. See Building the QA/RA Quality Team for a MedTech Startup for the timing and profile. The role at this stage is not "write the QMS and hand it to me." The role is to inherit the light-but-real QMS the founders have been running, turn it into documents that actually match what the company does, and build the first layer of procedural discipline that will survive more people joining.

Procedures get written for real. Not templates copied from a consultancy's library, and not a 400-page QMS ripped off a similar-sized company. Real procedures for the work that is actually happening — change control, design review, document approval, training records, CAPA, complaint handling (even if there are no complaints yet), supplier evaluation, internal audit. Each procedure is short, each procedure is owned by a named person, and each procedure describes what the company actually does, not what the ISO standard abstractly requires. The test is: can a new hire on day one read the procedure and actually do the work?

First internal audit. This is the first time anyone inside the company formally checks whether the QMS as written matches the QMS as lived. Internal audit is a requirement under EN ISO 13485:2016+A11:2021, but more importantly it is the only mechanism that catches the drift between documents and reality before the Notified Body catches it. The first internal audit will find things. It is supposed to. A first internal audit that finds nothing is not a clean company — it is a broken audit. See Preparing for Your First Internal Audit for the practical approach.

Document control becomes a real system. At 3 people, a structured folder and a changelog can be enough if the discipline is real. At 10 people, this stops being enough. Not because the regulation changes — MDR and EN ISO 13485 do not draw lines at headcount — but because the number of documents, the number of people touching them, and the number of versions in play all cross a threshold where manual discipline stops working. This is where the document control system — whether that is a dedicated QMS tool or a carefully configured shared drive with version control — has to be built for real. See Document Control for Scaling MedTech Startups for the specifics.

Training starts existing as a thing. At 3 people everyone learns everything by osmosis. At 10 people there are hires who did not see the company at 3 people and do not know how things work. A training plan — short, real, targeted — becomes necessary. Training records start existing. Role-specific competence gets written down. The standard requires this under EN ISO 13485:2016+A11:2021 clauses on human resources and competence.

The 10-person transition is the most fragile one in the playbook. It is where the "silent rebuild" story happens when the transition is not managed. The founders have to actively move work out of their own heads and into procedures, and they have to trust the first real QA/RA hire to own the QMS without hovering over every change.

The 30-person stage: functional separation, management review rigour, PMS and vigilance at scale

By 30 people — usually Series A or Series B, often approaching CE or in the final stretch toward it — the operating model has to change again. The 10-person model held up by putting one quality-and-regulatory person in charge of everything cross-functional. At 30 people that single seat starts to break because the work has grown beyond what one person can both own and execute.

Functions separate. QA and RA start to diverge into distinct roles; see Building the QA/RA Quality Team for a MedTech Startup. Design and development has its own lead. Manufacturing or contract manufacturing oversight is its own function. Post-market surveillance and vigilance start to need their own owners — this is not optional, and the post-market phase is itself a separate operations chapter, see Post-Market Surveillance Operations for MedTech Startups. Supplier management grows into a real activity with evaluations, requalifications, and supplier audits.

Management review becomes a real forum. At 3 and 10 people, management review under EN ISO 13485:2016+A11:2021 is often a meeting the CEO runs once a year, looks at a dashboard, signs a document, and moves on. At 30 people this no longer works. Management review has to be a real quarterly forum where the leadership team looks at QMS performance, audit results, CAPA status, complaints, PMS data, supplier performance, training status, and regulatory environment changes, and makes real decisions that get documented and tracked. A management review meeting with no decisions is a compliance theatre meeting, and auditors now recognise the pattern on sight. See Management Review That Is Not Compliance Theatre for the working model.

PMS and vigilance scale into their own capability. As soon as the device is on the market — or approaching being on the market — the post-market side of the QMS becomes as large as the pre-market side. Complaint handling needs real intake, triage, and timelines. Field data collection needs a real process. PMS plan and PMS report obligations need owners. Vigilance reporting needs the infrastructure to catch serious incidents and report them within the regulatory timeframes. Thirty people is where this stops being "something the RA person also does on the side" and becomes a function in its own right.

The CEO stops running operations and starts governing them. At 3 people the CEO runs operations personally. At 10 people the CEO is transitioning out of direct operations and into management of operations. At 30 people the CEO has to be out of direct operations entirely, running the company at the level of governance, strategy, and capital, and trusting the operational layer to execute. The CEO who is still approving every change order at 30 people is the CEO whose company will not make it to 60 people.

The transitions that break things: document control, training, communication

Across the three stages, three operational layers break before anything else. If you are scaling a MedTech startup and something is going wrong, look here first.

Document control breaks first. The transition is not from "bad document control" to "good document control." It is from "implicit discipline in a small group" to "explicit system that scales to more people and more documents." Document control fails when the number of documents and the number of people touching them outgrows the implicit discipline, and no one has built the explicit system yet. The symptom is version drift — three people working on three different versions of the same procedure without knowing it. The fix is a real system, and the time to build it is at the 10-person transition, not the 30-person transition. At 30 people the retrofit is brutal.

Training breaks second. At 3 people training is osmosis. At 10 people, without a real training plan, new hires never fully come up to speed on the QMS because there is no systematic onboarding into it, and the informal osmosis that worked at 3 people no longer reaches them because the founders are no longer in the room for every conversation. The symptom is new hires who "follow the procedure" in name but do not understand why the procedure exists, which leads to deviations nobody catches. The fix is a short, real, role-specific training plan that exists by the 10-person transition and scales by the 30-person transition.

Communication breaks third. At 3 people communication is automatic. At 10 people it has to become semi-structured — standing meetings, a clear escalation path, a place where cross-functional decisions are recorded. At 30 people it has to become fully structured, with management review as the quarterly governance forum, weekly cross-functional operations reviews, and explicit channels for regulatory escalation. Communication failures do not look like communication failures when they happen. They look like a missed vigilance report, a change that went through without risk assessment, a complaint that was logged and then forgotten. The root cause is that the information did not reach the person who needed to act on it.

The Subtract to Ship discipline for scaling operations

The Subtract to Ship framework applies to operations scaling the same way it applies to the technical file and the team. The default move when a company is struggling is to add things. Add a procedure. Add a meeting. Add a tool. Add a hire. The Subtract to Ship move is the opposite: before you add anything, strip the operations model down to what is actually load-bearing, and only add what is required for the work that must happen in the next 12 months.

For operations scaling specifically, the discipline looks like this.

Do not add a process until the work fails without it. A process added before the work needs it is a process nobody follows because there is no pain behind it. A process added when the work is actively failing is a process with genuine authority because everyone can see why it exists.

Do not add a document until the decision needs to be traceable for an external reader. Documentation for its own sake is the "more documentation is not more quality" failure mode Tibor talks about constantly. Documentation for traceability, for audit readiness, for handover, for regulatory defence — that is load-bearing and worth building.

Do not promote an informal practice into a procedure until it has actually stabilised. A procedure written around a practice that is still changing weekly is a procedure that will be wrong by next month. Let the practice run informally until it stabilises, then promote it.

Do not copy a template you do not understand. This is the Berlin template QMS failure. A template from a similar-sized MedTech company looks like a shortcut; it is not. It is a set of assumptions about a different company's work glued to your letterhead. The auditor will spot it in the first hour. Build the QMS around your work, even if it is slower, because a small honest QMS survives audits that a large copied QMS does not.

Do not skip the 10-person transition because you are under pressure. This is the one that kills companies. The founders are under fundraising pressure, or engineering pressure, or Notified Body pressure, and the operations transition gets postponed. Six months later the company has grown to 15 people on a 3-person operating model and the damage is already done. The 10-person transition is the single most expensive one to skip.

See No-BS MDR Guide for First-Time Founders for the first-time-founder framing that pairs with this scaling discipline, and The Subtract to Ship Framework for MDR for the underlying methodology.

Reality Check — Where do you stand?

  1. Which of the three stages is your company in today — 3 people, 10 people, or 30 people — and is the operating model you are actually running matched to that stage, or is it the model from the previous stage still limping forward?
  2. If a new hire joined tomorrow, could they read your QMS procedures and actually do the work, or would they still need the founder to explain how things really work?
  3. When was your last internal audit? If you are past 10 people and the answer is "never," the 10-person transition is already behind schedule.
  4. Does your document control system actually prevent version drift, or does it rely on people remembering which file is current?
  5. Is there a written, role-specific training plan that a new hire goes through in their first two weeks, or does onboarding into the QMS happen by osmosis?
  6. Is your management review a real quarterly forum with decisions and follow-ups, or a once-a-year signature exercise?
  7. If your post-market data started flagging a safety signal tomorrow, does the company have an identifiable person who would own the investigation, or would it land on the CEO by default?
  8. For each major QMS procedure, can you name a single internal owner who is accountable for it being current and real?

Frequently Asked Questions

At what team size does a MedTech startup need to formalise its operations? The most fragile transition is from 3 people to roughly 10 people. That is where the informal, founder-led operating model stops working and procedures, document control, training, and internal audit have to become real systems. Waiting until 15 or 20 people to make this transition usually means an expensive retrofit and, in some cases, a silent rebuild of the team.

Does MDR require a smaller QMS for smaller companies? No. MDR Article 10(9) requires every manufacturer to establish, document, implement, maintain, keep up to date, and continually improve a quality management system that is proportionate to the risk class and type of device. Proportionality is about the device, not about the company size. A 3-person startup making a Class IIb device carries the same QMS obligations as a large manufacturer making the same class of device. The playbook is about meeting those obligations at each company size without collapsing under the weight.

When should a MedTech startup run its first internal audit? By the 10-person transition at the latest, and ideally before. The first internal audit is not a compliance formality — it is the mechanism that catches the drift between the QMS as written and the QMS as lived, before a Notified Body does. A first internal audit that finds nothing is almost always a broken audit, not a clean company.

What breaks first when a MedTech startup scales from 3 to 30 people? Document control breaks first, training breaks second, communication breaks third. All three fail because the implicit discipline that worked at 3 people does not scale, and the explicit systems that replace it have to be built on purpose at the 10-person transition. Companies that skip that transition get to 30 people with broken document control and pay for it in audit findings.

Does the CEO still run operations at 30 people? No. At 30 people the CEO has to be out of direct operations and into governance, strategy, and capital. A CEO still approving every change order at 30 people is the bottleneck that will stop the company growing to 60. The transition out of direct operations usually happens between 10 and 20 people and is one of the hardest transitions for technical founders to make.

How do you know when an informal practice is ready to be promoted into a procedure? When the practice has stabilised — run the same way for long enough that writing it down will capture how it actually works, not how it worked last month. Promoting an unstable practice into a procedure creates documentation that is wrong by the time the ink is dry, which teaches the team that the procedures do not match reality, which is how a QMS starts to rot.

What is the single most expensive operations mistake MedTech startups make? Skipping the 10-person transition. Staying on a 3-person operating model while the team grows to 12 or 15 because the founders are under fundraising or engineering pressure and the operations change feels like it can wait. Six months later the company has structural operations debt that is painful and slow to repair, and in some cases the only fix is the kind of silent rebuild that costs a year.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers) and Article 10(9) (quality management system requirement). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Sections on management responsibility, document control, human resources and competence, internal audit, and management review.

This post is part of the Team Building, Operations & Scaling category in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. The operations playbook in this post is the scaling companion to the team seat map in the category pillar — read them together, and use the Reality Check as a working diagnostic for whichever stage your company is currently in.