What Is Management Review? ISO 13485 and QMSR Requirements

TLDR

Management review is a formal, documented process in which senior leadership evaluates the performance and effectiveness of the quality management system. Under ISO 13485 Clause 5.6 and the FDA's Quality Management System Regulation (QMSR), which became effective February 2, 2026, management review is a mandatory requirement, not a best practice. The standard specifies exactly what inputs leadership must review, what outputs the meeting must produce, and how the entire process must be documented. As of February 2026, FDA investigators can inspect management review records during routine facility audits, making quality and thoroughness of documentation more critical than ever.

What Is Management Review in a Quality Management System?

Management review is a scheduled, structured meeting in which top management evaluates whether the quality management system is still suitable, adequate, and effective. The review brings together executives, quality directors, department heads, and the management representative to assess the current state of quality performance and make decisions about where the system needs to improve.

The purpose is not to review individual records or investigate specific events. Management review operates at a system level. Leadership looks across all quality data accumulated since the last review, identifies trends, assesses risks, allocates resources, and sets direction for the coming period.

For medical device companies, this process sits in ISO 13485:2016 Clause 5.6 and is fully incorporated into the QMSR under 21 CFR Part 820, effective February 2, 2026. It is one of the clearest expressions of management commitment in the entire standard.

Why Management Review Matters More Than Ever Under QMSR 2026

When the FDA's QMSR replaced the legacy Quality System Regulation on February 2, 2026, it brought one change that significantly raised the stakes for management review: FDA investigators can now access and inspect management review records during facility inspections.

Under the previous QSR, FDA policy historically shielded internal audit and management review records from routine inspection. That discretion ended with QMSR. The FDA's revised compliance program (7382.850) now allows investigators to review these records directly. A management review that is thin, vague, undated, or missing required inputs is no longer just an internal quality gap. It can now produce an FDA Form 483 observation or a warning letter finding.

Quality leaders who treated management review as a formality need to reassess that approach. The record your team produces in that room is now a primary inspection artifact.

ISO 13485 Clause 5.6: The Structure of Management Review

ISO 13485:2016 breaks management review into three sub-clauses, each covering a distinct aspect of the requirement.

Clause 5.6.1: General Requirements

Top management must review the quality management system at planned intervals. The standard requires management to evaluate whether the QMS is suitable, adequate, and effective. The review must also assess opportunities for improvement and the need for changes to the system, quality policy, and quality objectives.

Critically, the standard specifies that records of management reviews must be maintained. This is not optional documentation. The absence of management review records is itself a nonconformance.

The standard does not mandate a single annual meeting format. Many organizations hold quarterly reviews of key metrics and one comprehensive annual review that covers all required inputs. Both approaches satisfy the requirement provided the review cycle is planned, consistent, and documented.

Clause 5.6.2: Review Inputs

ISO 13485 specifies ten categories of information that must be included as inputs to the management review. These are not suggestions. Auditors look for evidence that each input was addressed.

The required inputs are:

1. Results of audits, including internal audits and external certification or regulatory audits
2. Customer feedback, including complaints and complaint handling results
3. Process performance and product conformity data
4. Status of preventive and corrective actions, including Deviation CAPA outcomes
5. Follow-up actions from previous management reviews and their current status
6. Changes that could affect the quality management system, including regulatory updates, organizational changes, or new product lines
7. Recommendations for improvement from any source within the organization
8. New or revised regulatory requirements applicable to the devices the company produces
9. Applicable new or revised standards
10. Supplier Quality Management (SQM) performance, including supplier audit results and supplier-related quality issues

Each input requires supporting data, not just a verbal acknowledgment. Management review minutes should capture what data was reviewed for each category and what conclusions leadership drew from that data.

Clause 5.6.3: Review Outputs

The outputs of management review are the decisions and actions that result from the review. ISO 13485 requires that outputs address at least three areas:

1. Improvement of the QMS and its processes – specific decisions about where and how the system will be strengthened
2. Improvement of product related to customer requirements – actions related to product quality, safety, or performance
3. Resource needs – decisions about staffing, equipment, infrastructure, or training required to support quality objectives

Outputs must be documented with assigned owners, action items, and deadlines where applicable. A management review that concludes without specific decisions and assigned actions does not satisfy the spirit or the letter of the standard.

Frequency and Documentation Requirements

ISO 13485 requires management review at "planned intervals," with the minimum expectation being at least once per year. Regulatory bodies and certification auditors generally view annual reviews as the floor, not the target. High-volume manufacturers, companies with active CAPA programs, or organizations that have experienced regulatory action in the prior period should consider semi-annual or quarterly reviews.

Every management review must produce a written record. The record typically includes:

• Date and location of the review
• List of attendees, including their titles and roles
• Confirmation that all required inputs were addressed
• Summary of data reviewed for each input category
• Key findings, trends, or concerns identified
• Decisions made and actions assigned
• Owner and target date for each action item
• Statement that the QMS was evaluated for suitability, adequacy, and effectiveness
• Signatures from senior management, including the management representative

The depth and completeness of this record determines whether the review will survive an FDA inspection or a third-party certification audit.

Who Must Attend Management Review

ISO 13485 requires that management with executive responsibility participate in the review. The management representative, who carries responsibility for QMS oversight under Clause 5.5.2, must be present and must report on QMS performance to executive leadership.

In practice, effective management reviews include:

• CEO, President, or General Manager
• VP or Director of Quality
• Management Representative (often the same as VP/Director of Quality)
• VP or Director of Operations
• VP or Director of Regulatory Affairs
• Heads of relevant departments based on input topics (e.g., supply chain for supplier quality inputs)

Management review cannot be delegated entirely to the quality team. The standard is explicit that executive leadership participates. An audit finding commonly cited by certification bodies is management review attendance records that show only quality personnel with no executive representation.

Common Management Review Failures That Trigger Audit Findings

Auditors reviewing management review records frequently cite the same categories of deficiency. Understanding these gaps helps quality teams design a review process that holds up under scrutiny.

Incomplete inputs. The most common finding is that one or more of the ten required input categories was missing from the review record. Often, companies address the inputs they have data for and skip categories where nothing noteworthy occurred. The standard requires all inputs to be addressed, even if the conclusion is that performance was satisfactory with no action required.

No evidence of data review. Management review minutes that list input topics but do not summarize the actual data reviewed are difficult to defend in an audit. Effective records reference specific metrics, trend data, root cause investigation summaries, or complaint volumes reviewed at the meeting.

No outputs or vague outputs. A management review that ends with "the QMS is performing well" and no specific actions fails to meet the output requirements. Every review must produce documented decisions, even if some of those decisions are to maintain current practices without change.

Overdue actions from prior reviews. When follow-up items from the previous management review are still open with no explanation, auditors treat this as evidence that the management review process is not driving real improvement.

Missing executive signatures. Records without signatures from executive management, or with only quality staff signatures, do not demonstrate the leadership commitment the standard requires.

Poor frequency. Companies that conduct management reviews less than annually, or that cannot produce records for planned review periods, face nonconformance findings related to Clause 5.6.1 frequency requirements.

How a Process Audit Connects to Management Review

Management review does not operate in isolation. It sits at the top of a continuous quality loop that draws data from process audits, internal audits, CAPA records, complaint data, and supplier performance. The strength of a management review depends directly on the quality of data flowing up from these connected processes.

A company with a fragmented QMS, where CAPA lives in one spreadsheet, complaints in another, and audit findings in a shared drive, cannot produce the consolidated, trend-based data that an effective management review requires. Leaders end up reviewing snapshots rather than patterns, and the decisions they make reflect that limitation.

The shift to an integrated eQMS changes this fundamentally. When all quality processes feed into a single system, management review preparation moves from a weeks-long manual aggregation exercise to an on-demand data review. Trend reports, open action status, CAPA closure rates, complaint metrics, and Risk Register updates are available in real time, not assembled manually before each meeting.

Maintaining the Audit Trail for Management Review Records

Under both ISO 13485 and the QMSR, management review records must be controlled documents. This means they fall under the document control requirements of Clause 4.2 and must be retained for a defined period, typically the life of the device plus a defined retention window specified in the company's document control procedure.

Maintaining a complete audit trail for management review records includes preserving evidence of who created the record, when it was created, when it was approved, and any subsequent revisions. For companies still managing management review records in Word documents or shared drives, demonstrating this audit trail during an FDA inspection is difficult. The QMSR's expanded access to these records makes a defensible, time-stamped document control system a compliance requirement, not a convenience.

How Cloudtheapp Supports Management Review Compliance

Cloudtheapp's AI-powered eQMS includes a dedicated Management Review application designed around the ISO 13485 Clause 5.6 structure. The platform automatically aggregates data from connected quality modules, including CAPA, complaints, Deviation CAPA, audits, and supplier quality, into a consolidated management review input report.

Quality leaders can configure the system to pull live trend data for each of the ten required input categories, assign review participants, track outputs and action items with owner assignments and due dates, and maintain fully validated, time-stamped records that satisfy both FDA and ISO 13485 audit requirements.

Because Cloudtheapp is pre-validated for FDA 21 CFR Part 820 (QMSR) and ISO 13485, the platform itself meets the computer system validation requirements that apply to electronic quality records. Management review records created in the platform carry the audit trail and access controls that make them defensible under QMSR inspection.

Organizations preparing for their first post-QMSR FDA inspection can use Cloudtheapp to structure management review records that directly address the expanded documentation expectations introduced in February 2026.

Book a free demo to see how the Management Review application fits into a complete eQMS built for regulated industry compliance.

Conclusion

Management review is the mechanism through which executive leadership takes ownership of quality system performance. ISO 13485 Clause 5.6 defines the structure precisely: ten required inputs, three required output categories, planned frequency, documented records, and executive participation. Under the QMSR effective February 2, 2026, those records are now inspectable by FDA investigators, which means quality teams need management review processes and documentation that hold up under direct regulatory scrutiny, not just third-party certification audits.

The companies that treat management review as a genuine leadership tool, rather than a compliance checkbox, produce stronger QMS data, identify systemic issues earlier, and enter inspections with a defensible record of continuous improvement. The standard gives you the structure. The execution determines whether that structure actually protects your business.