--- title: Scaling a MedTech Startup: What Changes Operationally description: What breaks in MedTech operations as you grow from 10 to 30 to 100 employees, and how your QMS and MDR obligations evolve with headcount. authors: Tibor Zechmeister, Felix Lenhard category: Team Building, Operations & Scaling primary_keyword: scaling MedTech startup operations canonical_url: https://zechmeister-solutions.com/en/blog/scaling-medtech-startup-operations source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # Scaling a MedTech Startup: What Changes Operationally *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **MedTech scaling breaks differently than software scaling. The QMS that worked at 10 people collapses at 30, and the structure that works at 30 collapses again at 100. The reason is not growth itself — it is that hand-offs get formalized, informal knowledge stops transferring across desks, and auditors start asking different questions as your headcount grows.** **By Tibor Zechmeister and Felix Lenhard.** ## TL;DR - The QMS requirements under EN ISO 13485:2016+A11:2021 clauses 5 (management responsibility) and 6 (resource management) do not change with headcount, but how you implement them has to change as you grow. - At 10 people, everyone knows everything. At 30, you need written hand-offs. At 100, you need formal cross-functional processes and defined training records per ISO 13485 clause 6.2. - MDR Article 15 (PRRC) obligations become harder to satisfy with a single part-time person once you are running multiple product lines, clinical investigations, and PMS streams simultaneously. - Auditors ask different questions as you grow: at 10 they ask if you understand your process, at 30 they ask if your team does, at 100 they ask if your systems enforce it. - The three common failure points are management review drifting into a box-ticking exercise, training records lagging behind actual hiring, and CAPA backlogs growing faster than the team can process them. - Plan your QMS evolution three headcount tiers ahead of your current size, not your current team. ## Why scaling breaks MedTech operations In a non-regulated startup, scaling pain is mostly about communication and accountability: people step on each other, handovers get missed, culture drifts. In MedTech you get all of that, plus a regulatory system that is watching. The QMS you certified at 12 people is based on assumptions that stop being true the moment you hire your 20th or 30th person. The undocumented shortcut that worked when the CTO did code review and release management personally becomes an audit finding the moment those responsibilities split across three people. Felix has watched a dozen MedTech startups hit the 25 to 35 person inflection and discover that their QMS, which had passed a clean stage 2 audit 18 months earlier, no longer reflected how the company actually worked. The regulatory head was firefighting. The founders were confused about what had changed. The answer was always the same: nothing specific had broken. Everything had drifted a little, and the accumulated drift had crossed a threshold. Tibor audits companies across the full size range. The patterns he sees are remarkably consistent, and they map cleanly to specific ISO 13485 clauses. ## What MDR and ISO 13485 actually say **MDR Article 10** sets general manufacturer obligations that apply regardless of company size. They do not scale — the obligation to maintain a QMS is the same whether you are 5 people or 5,000. **MDR Article 15** — Person Responsible for Regulatory Compliance — requires at least one PRRC permanently and continuously at the manufacturer's disposal. Article 15 also allows micro and small enterprises (as defined in Commission Recommendation 2003/361/EC — essentially under 50 employees and under EUR 10M turnover) to use an external PRRC, while larger manufacturers must have the PRRC as an employee. This is a hard scaling trigger: the moment you exceed the small enterprise threshold, your PRRC arrangement must change. **EN ISO 13485:2016+A11:2021 clause 5** — Management responsibility — requires top management to demonstrate commitment to the QMS, ensure the quality policy is communicated and understood, ensure responsibilities and authorities are defined, appoint a management representative, and conduct management reviews at planned intervals. As you grow, "communicated and understood" stops being trivially true. What was a hallway conversation at 10 people needs a documented training and communication process at 30. **EN ISO 13485:2016+A11:2021 clause 6** — Resource management — requires the organization to determine and provide the resources needed to implement, maintain, and improve the QMS. Clause 6.2 requires personnel to be competent on the basis of education, training, skills, and experience, and requires records of training and competence to be maintained. This is where scaling hits first and hardest. At 10 people, competence is self-evident. At 30, training records start to lag. At 100, a missing training record is a finding. ## What breaks at each tier ### Around 10 people Characteristics: founders still do everything, QMS exists mostly on paper, everyone attends all meetings, the founder or CTO is also the PRRC, the management review is a one-hour conversation. What works at this size: personal knowledge, informal communication, founder oversight of every decision. A good auditor will not penalize informality if the outputs are correct. What auditors ask: "Show me you understand your process." They want to see that the founders genuinely know the regulation and are making competent decisions. A clean, minimal QMS is fine. First cracks appear when: you hire employee 11 or 12. Someone does a task without the founder's direct oversight for the first time. Now the process has to exist independently of the person who invented it. ### Around 30 people Characteristics: middle management emerging, multiple product development workstreams, first external PMS inputs arriving, the PRRC is now a dedicated role, the management review is a structured quarterly meeting. What breaks: training records lag behind hiring by weeks or months. The informal hand-off from R&D to quality becomes a formal design review that sometimes gets skipped because "everyone already knows." CAPA backlog starts to grow because no single person owns closure anymore. Document control gets sloppy because three people are making edits in parallel. What auditors ask: "Show me your team understands your process." They will stop asking the founder and start asking a random engineer. If that engineer cannot find the SOP for their own workflow, you have a finding. First cracks: the 30-person QMS review surfaces a list of small issues that would have been trivial to fix at 10 people but now require coordinated effort across teams. ### Around 100 people Characteristics: multiple product lines, ongoing clinical investigations and PMCF studies, post-market surveillance generating real data streams, several people in regulatory affairs and quality, management review is a formal process with pre-reads and action tracking. What breaks: the systems that worked manually stop scaling. Spreadsheet-based training records become unmanageable. Document control in shared drives starts generating version conflicts. The CAPA system that was an Excel tracker becomes a liability. The PRRC — if still a single person — cannot physically cover every decision that Article 15 implicitly expects them to touch. What auditors ask: "Show me your systems enforce your process." They want to see that compliance is built into the infrastructure, not dependent on specific people. This is where eQMS platforms stop being optional and become load-bearing. First cracks: you discover that your PMS data from the field has been accumulating faster than you are processing it, and your next PSUR is going to expose the gap. ## A worked example A Vienna-based startup scaled from 12 to 34 people over 18 months. They had a clean CE mark for a Class IIa device and were opening a second product line. Here is what changed in their QMS, in order: **Month 1 (headcount 12):** Quality policy taped to the kitchen wall. Management review done quarterly in a one-hour standup. One consultant PRRC, 15 hours per month. **Month 6 (headcount 18):** First hire in quality. Training matrix created in a spreadsheet. First internal audit by the new QA hire against ISO 13485 clause 8.2.4. Finding: three engineers have no training records for the design control SOP they are using daily. **Month 10 (headcount 25):** Second product line kicks off. PRRC consultant raises the first flag that the scope of their engagement no longer covers the workload. Startup hires a full-time PRRC. Management review moves to a formal monthly meeting with pre-read documents per ISO 13485 clause 5.6. **Month 14 (headcount 30):** First PMS data from the field is analyzed. CAPA backlog reaches 14 open items. eQMS platform procurement started because spreadsheets are no longer viable. Document control moves from shared drive to the new platform. **Month 18 (headcount 34):** Annual surveillance audit by the notified body. Minor findings around training record timeliness and CAPA closure discipline. No major findings, but the audit takes a full day longer than the previous one because the scope has grown. Key lesson: the startup had planned its QMS for the size it was, not the size it was becoming. ## The Subtract to Ship playbook **Step 1 — Plan three tiers ahead.** If you are at 10, design for 30. If you are at 30, design for 100. This is not over-engineering — it is acknowledging that QMS changes take months to implement and you cannot wait until the system is breaking. **Step 2 — Treat the 50-employee threshold as a legal event.** MDR Article 15 combined with the small enterprise definition means your PRRC arrangement has to change at this threshold. Do not get surprised by this. **Step 3 — Track QMS health metrics monthly.** At a minimum: CAPA aging, training record completeness, internal audit findings per quarter, document change cycle time, management review action closure rate. These are leading indicators. When they drift, act. **Step 4 — Hire quality ahead of the curve, not behind it.** The rule of thumb: add one full-time quality and regulatory headcount for roughly every 15 to 20 people in R&D and operations, adjusted for device class and number of product lines. Class III and software-heavy products need more. **Step 5 — Formalize hand-offs before they break.** Every time a responsibility transfers from one person to another — design to verification, manufacturing to release, complaint to CAPA — make sure there is a documented hand-off that does not depend on personal memory. **Step 6 — Upgrade your management review as you grow.** At 10, it is a conversation. At 30, it is a structured meeting with data. At 100, it is a formal process with pre-reads, action tracking, and escalation to the board. The ISO 13485 clause 5.6 requirements do not change, but the implementation must. **Step 7 — Invest in systems before you need them.** eQMS platforms, training systems, document control — budget for these two tiers before you think you need them. The cost of migrating 200 employees onto a new system mid-crisis is much higher than procuring ahead of the curve. ## Reality Check 1. Do you have a written plan for how your QMS will change as you cross 30, 50, and 100 employees? 2. Is your current PRRC arrangement compliant with MDR Article 15 for your current and expected next headcount tier? 3. Are your training records (ISO 13485 clause 6.2) current, or are they lagging behind hiring? 4. Can a randomly selected engineer in your company find the SOP for their own workflow in under two minutes? 5. What is your current CAPA aging distribution, and is it stable or growing? 6. Does your management review (ISO 13485 clause 5.6) produce actions that actually get closed, or is it a box-ticking exercise? 7. If your notified body auditor asked to see your training matrix today, could you produce it within 15 minutes? 8. Have you budgeted for the eQMS upgrade before you need it, or are you planning to migrate during a crisis? ## Frequently Asked Questions **At what size do I need to hire a full-time PRRC?** MDR Article 15 allows external PRRCs for micro and small enterprises. Once you exceed the small enterprise threshold (roughly 50 employees and EUR 10M turnover under Commission Recommendation 2003/361/EC), the PRRC must be a permanent member of the staff. In practice, most startups find they need a full-time PRRC well before 50 people because the workload outgrows a consultancy arrangement. **How much quality and regulatory headcount should I budget for?** Rough rule: one full-time quality or regulatory headcount for every 15 to 20 people in R&D and operations, adjusted upward for Class III devices, software-heavy products, and multiple product lines. Class I self-certified products need less. **Is an eQMS mandatory?** No — ISO 13485 does not mandate a specific tool. Many startups run a compliant QMS on shared drives and spreadsheets well past 20 people. The question is not whether it is mandatory, but when the manual approach becomes more expensive than the platform. **What is the single biggest QMS failure mode when scaling?** Training records lagging behind hiring. It is almost always the first finding at a scaling company, and it is the easiest to prevent with simple discipline. When you sign an offer letter, the training assignment should happen the same day. **How often should internal audits happen as we grow?** ISO 13485 clause 8.2.4 requires internal audits at planned intervals. At 10 people, an annual full-cycle internal audit is usually enough. At 30, quarterly targeted audits are more effective. At 100, you need a continuous rolling internal audit program covering each major process at least annually. **Does scaling change our MDR obligations?** The obligations themselves do not change — MDR Article 10 applies equally to a 5-person and a 500-person manufacturer. What changes is how you implement them and what auditors expect to see as evidence of that implementation. ## Related reading - [MedTech startup operations playbook 3 to 30](/blog/medtech-startup-operations-playbook-3-to-30) — the operational detail for early scaling. - [Building a QA/RA team in a startup](/blog/building-qa-ra-quality-team-startup) — hiring sequence and role definitions. - [QMS maturity model for startups](/blog/qms-maturity-model-startups) — how to assess where your QMS actually is today. - [Internal audits on a 3-person team](/blog/internal-audits-3-person-team) — the lean implementation of ISO 13485 clause 8.2.4. - [Management responsibility under MDR](/blog/management-responsibility-mdr) — the ISO 13485 clause 5 requirements in plain language. ## Sources 1. Regulation (EU) 2017/745 on medical devices, consolidated text. Articles 10 and 15. 2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes, clauses 5 and 6. 3. Commission Recommendation 2003/361/EC concerning the definition of micro, small and medium-sized enterprises. --- *This post is part of the [Team Building, Operations & Scaling](https://zechmeister-solutions.com/en/blog/category/team-operations) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*