Management Review for Medical Devices: ISO 13485 & QMSR Compliance Guide
How to conduct management reviews for medical device companies per ISO 13485 Clause 5.6 and FDA QMSR — required inputs, outputs, frequency, documentation, and common audit findings.
What Is Management Review?
Management review is a structured, top-level evaluation of a medical device company's quality management system (QMS), conducted by senior leadership at planned intervals. Its purpose is to ensure the QMS remains suitable, adequate, and effective — and to drive decisions about improvement, resource allocation, and strategic direction.
Under ISO 13485:2016 Clause 5.6 and FDA's Quality Management System Regulation (QMSR, effective February 2, 2026), management review is not optional. It is a mandatory process that top management must conduct, document, and act upon. Under QMSR, FDA investigators can now request and review your management review records during inspections — a significant change from the old QSR, where these records had certain protections.
Regulatory Requirements
ISO 13485:2016 Clause 5.6
ISO 13485 Clause 5.6 requires that top management review the organization's QMS "at documented planned intervals" to ensure its continuing suitability, adequacy, and effectiveness. The standard specifies:
- The review must include assessing opportunities for improvement and the need for changes to the QMS, including quality policy and quality objectives
- The rationale for the review interval must be recorded
- Requirements for management review must be documented in a procedure
- Records from management reviews must be maintained
FDA QMSR (21 CFR Part 820)
With the QMSR effective February 2, 2026, FDA incorporated ISO 13485:2016 by reference. Management review is evaluated under the "Management Oversight" QMS area in FDA's new inspection framework (CP 7382.850). During baseline surveillance and PMA pre-approval inspections (Inspection Model 2), investigators are required to review management review as a mandatory element.
Critically, under QMSR, FDA eliminated the protections that existed under the old QSR for management review records, internal audit reports, and supplier quality audit reports. FDA's rationale: ISO 13485 does not include such protections, and notified bodies and MDSAP auditors already evaluate these records. Your management review records are now fully inspectable.
EU MDR / IVDR
Under the EU Medical Device Regulation (MDR) and In Vitro Diagnostic Regulation (IVDR), management review is implicitly required as part of the quality management system obligations in Article 10. Notified bodies routinely evaluate management review compliance during conformity assessments.
Management Review Inputs: The 12 Required Inputs
ISO 13485 Clause 5.6.2 specifies a minimum of 12 inputs that must be included in management review. These are not suggestions — they are requirements. Your management review procedure must address each one.
| # | Input | What It Means | Where to Get the Data |
|---|---|---|---|
| 1 | Feedback | Customer, patient, and user feedback on products and services | Customer surveys, complaint trends, post-market surveillance data |
| 2 | Complaint handling | Summary of complaints received, evaluated, investigated, and resolved | Complaint log, complaint trending reports |
| 3 | Reporting to regulatory authorities | Adverse events, field safety corrective actions, vigilance reports submitted | MDR reports, FSCA summaries, vigilance submissions |
| 4 | Audits | Results of internal audits, external audits, and supplier audits | Internal audit reports, notified body audit reports, MDSAP audit findings |
| 5 | Monitoring and measurement of processes | QMS process performance metrics — cycle times, deviation rates, on-time delivery | KPI dashboards, process metrics reports |
| 6 | Monitoring and measurement of product | Product conformity data — acceptance rates, nonconformance trends, test results | In-process and final inspection data, nonconformance reports |
| 7 | Corrective action | Status and effectiveness of open and closed CAPAs | CAPA log, effectiveness verification results |
| 8 | Preventive action | Status of preventive actions taken to eliminate potential causes of nonconformities | Preventive action log, risk assessment updates |
| 9 | Follow-up actions from previous management reviews | Status of actions assigned during previous reviews | Action tracker from last management review |
| 10 | Changes that could affect the QMS | Organizational changes, new regulations, process changes, market changes | Change control log, regulatory intelligence updates |
| 11 | Recommendations for improvement | Suggestions from audits, complaints, process owners, or any source | Improvement suggestions log, internal audit recommendations |
| 12 | Applicable new or revised regulatory requirements | New or changed regulations that affect the company's devices or QMS | Regulatory intelligence reports, FDA guidances, EU MDR updates |
Note: These 12 inputs are a minimum. Your company may identify additional inputs relevant to your specific devices, markets, or risk profile.
Management Review Outputs: What the Review Must Produce
ISO 13485 Clause 5.6.3 requires that the output from management review be recorded and include the input reviewed plus any decisions and actions related to four areas:
1. Improvement Needed to Maintain QMS Suitability, Adequacy, and Effectiveness
Decisions about changes to the QMS — new procedures, revised processes, organizational restructuring, or updated quality objectives. This is where management decides whether the QMS is still fit for purpose.
2. Improvement of Product Related to Customer Requirements
Decisions about product improvements — design changes, labeling updates, manufacturing process improvements, or new testing requirements. This connects management review directly to product quality and patient safety.
3. Changes Needed to Respond to New or Revised Regulatory Requirements
Decisions about how to address regulatory changes — QMSR transition activities, EU MDR implementation milestones, new FDA guidance documents, or updated international standards. Management must decide how these changes will be implemented and resourced.
4. Resource Needs
Decisions about additional resources — personnel, equipment, facilities, training, software, or external expertise. If the QMS has gaps or the company is expanding into new markets, management must allocate the resources to address those needs.
How Often Should You Conduct Management Reviews?
ISO 13485 requires management review "at documented planned intervals" but does not prescribe a specific frequency. The rationale for your chosen interval must be recorded. Common approaches include:
| Frequency | Typical Use Case | Considerations |
|---|---|---|
| Annual | Most common for small-to-medium device companies | Must ensure the annual review covers all 12 inputs comprehensively |
| Semi-annual | Companies with higher risk devices or rapid growth | Allows more timely response to emerging issues |
| Quarterly | Large manufacturers with complex product portfolios | Some companies hold quarterly "mini-reviews" with a comprehensive annual review |
| Event-driven | Triggered by significant events (warning letters, major product changes, regulatory shifts) | Cannot be the only mechanism — planned intervals are required |
Key Considerations for Frequency
- Risk profile: Higher-risk devices (Class III, implants) may warrant more frequent reviews
- Regulatory changes: The QMSR transition in 2026 is a strong reason to increase review frequency
- Audit findings: If internal or external audits reveal systemic issues, management should review them promptly
- Company growth: Rapidly growing companies need more frequent reviews to ensure the QMS scales appropriately
- FDA expectation: Under the new inspection framework, investigators will evaluate whether your review frequency is adequate for the complexity and risk of your operations
How to Structure a Management Review
Step 1: Plan and Schedule
- Define the review date, time, and location
- Identify attendees — top management must participate; include quality, regulatory, operations, and R&D leadership
- Distribute the 12 required input packages to attendees in advance
- Assign a facilitator (typically the Management Representative or VP Quality)
Step 2: Compile Input Data
For each of the 12 inputs, prepare a concise summary that includes:
- Current status and trends (with data, not narratives)
- Comparison to previous period and to quality objectives
- Notable changes, issues, or risks
- Proposed actions or recommendations
Step 3: Conduct the Review
A structured agenda typically follows the 12 inputs in order:
- Opening — Review of previous management review action items (Input 9)
- QMS Performance — Process monitoring, product monitoring, audit results (Inputs 4, 5, 6)
- Customer and Market — Feedback, complaints, regulatory reporting (Inputs 1, 2, 3)
- Improvement — CAPA status, preventive actions, recommendations (Inputs 7, 8, 11)
- External Environment — Regulatory changes, QMS changes (Inputs 10, 12)
- Decisions and Actions — Review outputs: improvements, product changes, regulatory responses, resource needs
Step 4: Document the Output
Minutes must include:
- Date, attendees, and scope
- Summary of each input reviewed
- All decisions made with specific actions, owners, and due dates
- Resource allocation decisions
- Follow-up schedule for action items
Step 5: Track and Follow Up
- Assign a tracker for all action items with owners and due dates
- Review action item status at the next management review (Input 9 for the following cycle)
- Ensure completed actions have documented evidence of completion
Common Audit Findings for Management Review
Notified bodies, MDSAP auditors, and FDA investigators frequently cite the following management review deficiencies:
Inadequate Inputs
- Missing one or more of the 12 required inputs
- Inputs are too vague or narrative — lack quantitative data and trend analysis
- Complaint trending not included or not analyzed for patterns
- CAPA effectiveness data not included
- Regulatory changes not tracked or reported
Inadequate Outputs
- No documented decisions or actions resulting from the review
- Actions are vague ("improve training") without specific deliverables, owners, or due dates
- Resource needs not addressed even when data shows gaps
- No follow-up mechanism for previous action items
Inadequate Leadership Involvement
- Reviews conducted by quality team alone without top management participation
- Management signs off on documents without genuine engagement in the discussion
- Reviews are a paperwork exercise rather than a strategic decision-making forum
Inadequate Frequency
- Reviews not conducted at planned intervals
- No documented rationale for the chosen frequency
- Significant events (warning letters, major product changes) not triggering interim reviews
Under QMSR Inspections
Under the new FDA inspection framework, management review is evaluated as part of the "Management Oversight" QMS area. SimplerQMS and other sources report that inadequate management review is increasingly cited during QMSR-aligned inspections, particularly when:
- Management review records exclude required inputs such as audit results, CAPA trends, and field data
- Reviews lack documented outputs with assigned actions and follow-up
- Reviews are conducted without meaningful analysis, timely follow-up, or appropriate leadership involvement
Management Review vs. Other Quality Reviews
| Review Type | Purpose | Frequency | Participants | Key Output |
|---|---|---|---|---|
| Management Review | Evaluate QMS suitability, adequacy, effectiveness | Planned intervals (annual minimum) | Top management + quality leadership | Strategic decisions, resource allocation |
| Internal Audit | Verify QMS compliance and effectiveness | Risk-based schedule covering all areas | Trained internal auditors | Audit findings, nonconformities, observations |
| Design Review | Evaluate design adequacy at development stages | At defined design phases | Design team + cross-functional reviewers | Design review minutes, go/no-go decisions |
| CAPA Review | Monitor CAPA status and effectiveness | As needed or periodic | Quality team + CAPA owners | CAPA status updates, effectiveness verification |
| Complaint Review | Evaluate individual complaints and trends | Per complaint + periodic trending | Quality/regulatory team | MDR decisions, investigation conclusions |
Management review is distinct from all of these — it is the only review where top management evaluates the QMS holistically and makes strategic decisions about improvement, resources, and direction.
Practical Tips for Effective Management Reviews
Use data, not narratives. Present quantitative trends, charts, and metrics. "Complaint rate increased 23% in Q3" is far more actionable than "we received more complaints."
Separate management review from operational meetings. Management review is about QMS health and strategic direction, not day-to-day problem-solving. Keep the focus at the right level.
Make it forward-looking. While reviewing past performance is necessary, the real value of management review is identifying what needs to change. Spend at least as much time on "what should we do differently" as on "what happened."
Connect the dots. If CAPA effectiveness is declining while complaint rates are rising, that is a systemic signal that management needs to address. Do not treat each input in isolation.
Document thoroughly but efficiently. FDA, notified bodies, and MDSAP auditors will read your management review minutes. They should be factual, specific, and free of unnecessary characterizations. Avoid language like "the company is not compliant" — instead, describe the specific gap and the action being taken.
Follow up relentlessly. The single biggest failure in management review is not tracking actions to completion. If actions from the previous review are not closed, that is itself a management review input that signals QMS ineffectiveness.
Frequently Asked Questions
Who must attend management review? Top management must participate. Under ISO 13485, "top management" means the person or group of people who direct and control the organization at the highest level. This typically includes the CEO, VP Quality, VP Regulatory, VP Operations, and VP R&D. Quality teams can prepare the inputs, but the review itself must be conducted by senior leadership.
Can we combine management review with other meetings? You can, but it is risky. If you do, make sure the management review portion is clearly documented as a separate agenda item with its own minutes covering all 12 inputs and all four output categories. Auditors and investigators will look for evidence that the review was conducted properly.
What if nothing significant happened since the last review? You still need to conduct the review and document that each input was evaluated. "No changes" or "no issues" is a valid finding for some inputs, but it must be documented. The absence of issues is itself data.
How does QMSR affect our management review process? Under QMSR, management review records are now fully inspectable by FDA. If your reviews have been informal or poorly documented, now is the time to strengthen your process. FDA investigators will evaluate management review as part of the "Management Oversight" QMS area during baseline surveillance and PMA pre-approval inspections.
Do we need a separate management review procedure? Yes. ISO 13485 Clause 5.6.1 requires that management review requirements be documented. This is typically a procedure that defines the frequency, inputs, outputs, participants, documentation requirements, and follow-up mechanism.