A qualification gap analysis is the structured exercise of mapping the competencies your QMS and your device actually require, comparing them honestly against the competencies your team actually has, and naming the gaps before a Notified Body auditor does. EN ISO 13485:2016+A11:2021 clause 6.2 requires personnel performing work affecting product quality to be competent on the basis of education, training, skills, and experience, with documented evidence. MDR Article 10 places the manufacturer obligations on the legal entity and Article 15(1) sets specific qualification criteria for the PRRC. The startup-scale method runs in six steps: map required competencies per role, assess the current team, identify gaps, decide training vs hire vs outsource per gap, document the analysis in the competence file, and refresh quarterly. Done honestly, it is the single cheapest way to prevent the most common and most dangerous competence failure in MedTech — hiring on fluency and discovering the substance was never there.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • A qualification gap analysis maps required competencies against actual team competencies and names the gaps in writing before an auditor finds them.
  • EN ISO 13485:2016+A11:2021 clause 6.2 is the anchor. The clause requires the organisation to determine the necessary competence, provide training, evaluate effectiveness, and maintain records for every role affecting product quality.
  • MDR Article 10 places the manufacturer obligations on the company, and MDR Article 15(1) sets hard qualification criteria for the PRRC that a gap analysis must check explicitly.
  • The six-step method: map required competencies per role, assess the current team, identify gaps, decide per-gap between training / hire / outsource, document the analysis in the competence file, refresh quarterly.
  • The analysis is only useful if it is honest. A gap analysis that concludes the team is fully qualified when the team is not is worse than no analysis at all, because it creates a false paper record.
  • The highest-leverage gap is usually the one the founders cannot see, because it hides behind a title that sounds right.
  • Done quarterly and properly, a qualification gap analysis is the discipline that would have prevented the Austrian fake-expert disaster we keep pointing to in this series.

Why a qualification gap analysis matters

There is an Austrian company we keep returning to in this series. The founders had a sentence they used to close every difficult conversation. "We have a dedicated expert handling regulatory." Investors relaxed. The board relaxed. Partners relaxed. Under the surface, the "expert" was beginner-level — fluent in the vocabulary, empty on the substance. Intended purpose was inconsistent between documents. Classification pointed at the wrong Annex VIII rule. The clinical evaluation strategy would not have survived a serious Notified Body review. The company had been operating for years on a foundation that looked competent and was not.

The point of this story in the context of a qualification gap analysis is not that the person was dishonest. The point is that the company had no mechanism for noticing the gap. Nobody had written down, in advance, what competencies the role actually required. Nobody had mapped the current team against those requirements. Nobody had named the gap in writing while it was still cheap to fix. The gap was discovered at audit time, which is the most expensive possible moment to find it.

A qualification gap analysis is the mechanism that would have caught this. It is a boring, structured, hour-by-hour exercise that forces the company to write down what the work requires and what the team has, and then compare the two lines side by side. Done honestly, it surfaces the gap while the runway is still long. Done dishonestly, it creates a paper record of competence that does not exist, and the paper record itself becomes an audit finding.

This post gives the startup-scale method.

The regulatory anchor — clause 6.2 and MDR Article 10

Before the method, the two texts the analysis has to satisfy.

EN ISO 13485:2016+A11:2021 clause 6.2 — human resources — requires that personnel performing work affecting product quality be competent on the basis of appropriate education, training, skills, and experience. The clause requires the organisation to determine the necessary competence for each role, provide training or take other actions to achieve that competence, evaluate the effectiveness of the actions taken, ensure that personnel are aware of the relevance and importance of their activities, and maintain records of education, training, skills, and experience. A qualification gap analysis is the most direct way to satisfy the "determine the necessary competence" obligation and the foundation for everything else in the clause.

MDR Article 10 places the manufacturer obligations on the legal entity, and Article 10(9) requires the QMS to cover resource management including the competence of personnel. Article 15(1) adds a specific, hard-edged qualification requirement for the PRRC role: either a relevant degree (law, medicine, pharmacy, engineering, or another relevant scientific discipline) plus at least one year of professional experience in regulatory affairs or QMS relating to medical devices, or four years of such professional experience without the formal qualification. The PRRC qualification is not a soft "could be improved" item in a gap analysis — it is a pass or fail check against a specific legal text.

Together, these two obligations define what a qualification gap analysis has to cover. Every role that affects product quality. The PRRC role in particular. Education, training, skills, and experience documented against the requirements of the role. Gaps named and handled.

The six-step method

The method below is the one we use with startups. It is deliberately simple because a complicated gap analysis does not get done, and a gap analysis that does not get done is worse than one that is merely rough.

Step 1 — Map required competencies per role

Start with the roles, not the people. For each named seat in the MedTech startup team — CEO, technical lead, clinical voice, quality and regulatory lead, PRRC, and any role-specific seats like a software lead, a clinical specialist, or a customer-facing specialist — write down what competence that seat actually requires in your specific company.

The mapping has four dimensions, because clause 6.2 has four dimensions.

  • Education. What degrees, diplomas, or formal qualifications does the role require? For the PRRC, this is either a defined degree plus one year, or four years of experience in lieu of the degree. For other roles, the requirement may be softer but should still be named.
  • Training. What specific training must the person complete to do the role? MDR baseline literacy for everyone (see Training Your Development Team on MDR). Internal auditor training for the quality lead. Device-specific technical training for the engineering leads. Usability engineering training where relevant. Name the training explicitly.
  • Skills. What must the person be able to demonstrate they can do? Write an intended purpose statement. Defend a classification argument against an Annex VIII rule. Run a management review. Answer a Notified Body deficiency letter. Perform an internal audit. The skills list is where the role becomes concrete.
  • Experience. What prior experience does the role require? For the PRRC under Article 15(1), this is specified by the Regulation. For other roles, it is a judgement about the depth the work demands — a mid-level RA hire needs at least one prior CE mark behind them, a senior hire needs multiple.

The output of Step 1 is a written competence profile for each role in your company. Keep it short — half a page per role is enough. It must exist as a document, not as an assumption.

Step 2 — Assess the current team honestly

For each person currently in a role, go through the four dimensions from Step 1 and document what they actually have. Not what the title implies. Not what the CV claims. What is demonstrable.

This step is where most gap analyses fail, because it requires honesty about people the founders work with every day. The discipline is to separate the person from the role. The assessment is not a judgement of the person's worth — it is a judgement of whether the current competence matches what the role requires. A person can be wonderful and still be in a role they are under-qualified for.

Three practical techniques for the assessment.

  • CV plus evidence. Read the CV and ask for the evidence behind each claim. "Led regulatory strategy for a Class IIa device" is a claim. The submission documents, the specific decisions made, the Notified Body correspondence are the evidence. The CV without the evidence is not an assessment.
  • Specific questions. For the RA and QA seats, use the question framework from Hiring for Regulatory Affairs in a Startup. Ask the person to cite specific MDR articles from memory. Ask them to reason about your specific device. Ask them what they do not know well enough to decide alone. The quality of the answers is the assessment.
  • Work samples. Pull three pieces of actual work the person has produced in their current seat — a procedure they wrote, a decision they made, a document they authored — and read them against the role requirements. Does the work match the depth the role demands?

The output of Step 2 is a documented statement, per person, of their current competence against each of the four dimensions. Dated. Signed by the assessor. Filed in the competence file.

Step 3 — Identify the gaps

With the role profiles from Step 1 and the current assessment from Step 2, the gaps write themselves. For each role, list the dimensions where the current person does not match the requirement. Be specific.

A gap is not "needs more training." A gap is "the quality and regulatory lead has never run an internal audit against ISO 13485 clause 8.2.4, and the QMS operation requires this within the next six months." A gap is not "the PRRC qualification is uncertain." A gap is "the named PRRC has a relevant degree but only eight months of documented professional experience in medical device regulatory affairs, falling four months short of the Article 15(1) degree-plus-one-year path." Specific gaps are fixable. Vague gaps are wallpaper.

Also name the gaps that are not about a current person but about a missing seat. If your company does not have a clinical voice, that is a gap. If your PRRC arrangement is nominally external but the external provider is not "permanently and continuously at the disposal of" the company in any real sense, that is a gap. The absence of a competence is just as much a gap as a person who falls short of a requirement.

Prioritise the gaps by the risk they create. A gap in the PRRC qualification under Article 15(1) is higher priority than a gap in a softer skill, because the former is a legal compliance failure and the latter is an operational weakness. A gap in the competence to run the internal audit programme is higher priority than a gap in a nice-to-have training, because the former blocks a required QMS process.

Step 4 — Decide: internal training, hire, or outsource

For each named gap, decide the resolution path. Three options. The choice is not arbitrary — each option fits a specific kind of gap.

  • Internal training. Appropriate when the gap is a skill or knowledge shortfall in a person who has the foundation to close it, and when the timeline allows for structured learning. A RA lead who has never handled a Notified Body deficiency letter can learn by shadowing one and then handling the next one under supervision. A junior QA associate who needs internal auditor training can complete a recognised course. Internal training is cheap if the person is coachable and the mentor exists inside or outside the company.
  • Hire. Appropriate when the gap is at the senior judgment layer — where internal training cannot plausibly close the gap in the available time, or where the role carries legal weight that cannot wait. If the PRRC is underqualified under Article 15(1) and the path to meeting the criteria is years away, the hire is unavoidable. See Hiring Your First Quality Manager for MedTech for the timing question.
  • Outsource. Appropriate when the work is specialist, episodic, or legally structured for external provision. An Article 15(2) external PRRC arrangement for a micro or small enterprise is a legitimate outsourcing path — covered in PRRC Options for Startups. Specialist clinical evaluation authorship, biocompatibility interpretation, or cybersecurity penetration testing can be outsourced cleanly, provided there is still an internal owner.

Avoid the two common traps. First, outsourcing every gap without building any internal capacity, so the company becomes permanently dependent on external providers with no accountability inside the walls. Second, promising to "train internally" on a gap that is too large to close in the time available, which turns the gap analysis into a wish list rather than a plan.

The output of Step 4 is a named resolution per gap, with a named owner and a deadline.

Step 5 — Document the gap analysis in the competence file

The analysis itself has to live somewhere. The competence file under clause 6.2 is the right home, because that is where an auditor will look for it. A qualification gap analysis document should contain, at minimum:

  • The date the analysis was performed and the name of the assessor.
  • The role profiles from Step 1.
  • The per-person assessments from Step 2.
  • The gaps identified in Step 3, prioritised.
  • The resolution decisions from Step 4, with owners and deadlines.
  • A signature or sign-off by the person accountable for the quality function.
  • A scheduled next review date.

The document does not have to be long. A five-page structured document with real content beats a fifty-page consultant deliverable that nobody has read. What matters is that it exists, that it is dated, that it is specific, and that it is reviewed at the cadence set in Step 6.

The related post Training Records Under ISO 13485 covers how competence records and training records fit together inside the QMS.

Step 6 — Refresh quarterly

A gap analysis is not a one-time event. Roles change. People change. The device changes. The regulation changes. The QMS matures. A competence picture that was accurate in Q1 is out of date by Q3 if the company is moving at all.

Schedule the refresh on a quarterly cadence. The quarterly refresh does not have to re-do the full analysis from scratch — it walks through the previous gap list, checks which gaps have been closed, identifies new gaps that have emerged, and updates the resolution decisions. Thirty minutes to an hour per quarter for a small startup. Enough to keep the picture honest without becoming a bureaucracy.

Tie the refresh to the management review cadence required by EN ISO 13485:2016+A11:2021 clause 5.6 so that the gap analysis becomes a standing input to management review. This is also what makes it visible to top management under Article 10(9) and the management commitment requirement.

The Subtract to Ship angle

The Subtract to Ship framework applied to a qualification gap analysis means: do not build a consultant-grade HR competence matrix with twenty skill categories and colour-coded heat maps. Build the smallest document that honestly answers four questions per role — education, training, skills, experience — against the requirements the role actually faces. Name the gaps in writing. Assign a resolution and an owner. Refresh quarterly. That is the whole discipline.

What comes out is the bloated competence framework imported from a larger company, the generic training catalogue the startup does not need, the ceremonial annual review that produces no decisions, and the consultant deliverable that sits in a folder nobody opens. What stays is the small, honest document that would have caught the Austrian fake-expert pattern before the first audit.

The test is the same as every Subtract to Ship decision. For every item in the gap analysis, can you point to the clause 6.2 dimension it addresses and the concrete gap it names? If yes, keep it. If the answer is "because the template included it," cut it.

Reality Check — Where do you stand?

  1. Does your company have a written qualification gap analysis document, dated within the last quarter, covering every role that affects product quality?
  2. For each role in the company, is there a written competence profile that names the required education, training, skills, and experience specifically for that seat?
  3. For each person in a role, is there a dated, signed assessment of their current competence against the four dimensions?
  4. Is the PRRC qualification explicitly checked against MDR Article 15(1) — with the specific path (degree plus one year, or four years) documented and backed by evidence?
  5. For every gap named in the analysis, is there a resolution decision (internal training / hire / outsource), a named owner, and a deadline?
  6. Is the gap analysis a standing input to management review, or does it sit in a folder that nobody opens between audits?
  7. If a Notified Body auditor opened the competence file for three random people in your company tomorrow, would the gap analysis match what they would find?
  8. When was the last time a gap analysis honestly named a person's current role as a mismatch, and what did the company do about it?

Frequently Asked Questions

What is a qualification gap analysis in a MedTech startup? A qualification gap analysis is a structured exercise that maps the competencies each role in the company actually requires against the competencies the current team actually has, and names the gaps in writing. In a MedTech startup it is anchored to EN ISO 13485:2016+A11:2021 clause 6.2 and MDR Article 10, and it must explicitly check the PRRC qualification against MDR Article 15(1). The output is a dated document in the competence file with a resolution plan for every gap.

How often should a startup run a qualification gap analysis? Quarterly, tied to the management review cadence under EN ISO 13485:2016+A11:2021 clause 5.6. The first full analysis takes a few hours for a small team; subsequent quarterly refreshes take thirty minutes to an hour. Waiting until the annual surveillance audit to discover competence gaps is the pattern that produces the most expensive corrections.

Who should perform the gap analysis? In a small startup, the quality and regulatory lead runs it, with the CEO as the sign-off because management responsibility under EN ISO 13485:2016+A11:2021 clause 5.5 lives at the top. For the PRRC assessment itself, the analysis should be reviewed by someone other than the PRRC — usually an external sparring partner or the CEO — because a self-assessment of a legal role is not a clean check.

What counts as a competence gap under clause 6.2? A specific, named shortfall between what a role requires and what the current person has, in one of the four clause 6.2 dimensions: education, training, skills, or experience. Vague statements like "needs more regulatory knowledge" are not gaps — they are wallpaper. A real gap names the missing item specifically, points to the evidence of the shortfall, and has a resolution path attached. An auditor can read a real gap and see what is being done about it.

Can outsourcing close a qualification gap? Yes, for specific kinds of gaps. An Article 15(2) external PRRC arrangement can close the PRRC qualification gap for a micro or small enterprise, provided the external person is genuinely permanently and continuously at the disposal of the company. Specialist episodic work can be outsourced cleanly. What outsourcing cannot close is the need for an internal owner — somebody inside the company who holds context and is accountable when something slips. Outsourcing the accountability is not a resolution.

What is the biggest mistake in a startup qualification gap analysis? Doing it dishonestly. A gap analysis that concludes the team is fully qualified when the team is not creates a false paper record, which is itself an audit finding under clause 6.2 when the auditor checks the underlying evidence. The second biggest mistake is running the analysis once, filing it, and never refreshing it, which turns a living document into a historical artefact that no longer matches the company.

Does the PRRC need to meet Article 15(1) on day one of the appointment? Yes. The qualification criteria in MDR Article 15(1) are met or not met at the time of appointment — either the relevant degree plus at least one year of professional experience in regulatory affairs or QMS relating to medical devices, or four years of such experience without the formal qualification. Appointing a PRRC who does not meet the criteria and planning to "grow into it" is a legal mismatch from day one. If the internal path is not available, the Article 15(2) external route for micro and small enterprises exists for exactly this situation.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers), Article 10(9) (quality management system, resource management, and the list of areas the QMS shall address), Article 15 (person responsible for regulatory compliance), Article 15(1) (qualification criteria — either a relevant degree in law, medicine, pharmacy, engineering, or another relevant scientific discipline plus at least one year of professional experience in regulatory affairs or QMS relating to medical devices; or four years of such professional experience). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 6.2 (human resources — competence based on education, training, skills, and experience, with documented evidence, including determination of necessary competence, provision of training, evaluation of effectiveness, awareness, and maintenance of records).

This post is part of the Team Building, Operations & Scaling category in the Subtract to Ship: MDR blog, under the Competence and Qualification subcategory. Authored by Felix Lenhard and Tibor Zechmeister. If your company has never run a qualification gap analysis, this is the post to read before the next management review — and then block ninety minutes with the quality and regulatory lead and run the six steps honestly against the team you actually have today.