What are the required inputs for an ISO 13485 management review?

ISO 13485:2016 clause 5.6.2 requires eight mandatory inputs: (1) feedback, (2) complaint handling, (3) reporting to regulatory authorities, (4) audit results, (5) monitoring and measurement of processes, (6) monitoring and measurement of product, (7) CAPA status, and (8) follow-up actions from previous management reviews. All eight must be addressed — none may be omitted.

How often must a management review be conducted under ISO 13485?

ISO 13485:2016 clause 5.6.1 requires reviews at 'planned intervals' but does not mandate a specific frequency. In practice, FDA and EU Notified Bodies treat annual reviews as the minimum acceptable standard. High-risk device manufacturers (Class III) or post-recall organizations should conduct reviews semi-annually or quarterly.

What must be documented as outputs of the management review?

Clause 5.6.3 requires documented decisions and actions related to: (1) improvement of QMS effectiveness, (2) improvement of product and processes to meet customer and regulatory requirements, and (3) resource needs. Each output must be specific, assigned to an owner, and time-bound. Vague conclusions do not satisfy the standard.

Does top management have to personally attend the management review?

Yes. ISO 13485:2016 clause 5.6 explicitly assigns responsibility to 'top management.' The Quality Manager cannot conduct the review independently and then brief executives separately. Top management must actively participate in the review itself, and their attendance must be documented in the review record.

What records must be kept for ISO 13485 management reviews?

Clause 5.6.1 requires organizations to maintain records of management reviews. At minimum, records must include the date and attendees, evidence that all eight required inputs were addressed, all output decisions and action items with owners and due dates, and the status of prior review action items. Records must be controlled per clause 4.2.5.

ISO 13485 Management Review: Inputs, Outputs & Frequency

By Jared Clark, JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC | Principal Consultant, Certify Consulting

Last updated: 2026-04-01

Management review is one of the most consistently mishandled clauses in ISO 13485 — and one of the most scrutinized by auditors. After working with 200+ medical device companies across certification and surveillance audits, I can tell you that organizations rarely fail because they didn't hold a management review. They fail because the review was superficial, lacked required inputs, or produced outputs too vague to drive action.

This pillar guide covers everything you need to know: what ISO 13485 actually requires, what auditors look for, how to structure your inputs and outputs, and how to set a review frequency that satisfies both the standard and your operational reality.

What ISO 13485 Clause 5.6 Actually Requires

ISO 13485:2016 clause 5.6 mandates that top management review the organization's Quality Management System (QMS) at planned intervals. The purpose is to ensure the QMS remains:

Suitable — appropriate for the organization's context
Adequate — resourced and structured to meet requirements
Effective — actually achieving intended quality and regulatory outcomes

This sounds simple, but the clause is deceptively demanding. Clause 5.6 is split into three sub-clauses:

Sub-Clause	Title	Core Obligation
5.6.1	General	Planned intervals; records maintained
5.6.2	Review Input	Defined list of required input topics
5.6.3	Review Output	Required decisions and actions documented

Unlike ISO 9001:2015, which is more flexible on structure, ISO 13485:2016 is prescriptive. The standard tells you exactly what must be covered. There's no "risk-based" discretion to skip an input category — you must address each one.

Citation hook: ISO 13485:2016 clause 5.6.2 specifies eight mandatory input categories that top management must review at each planned management review interval, with no discretion to omit any category.

Who Must Attend a Management Review?

The standard requires top management to conduct the review. ISO 13485:2016 defines top management (clause 3) as the "person or group of people who directs and controls an organization at the highest level."

In practice, this typically means:

CEO / General Manager / President — mandatory
Quality Director or VP of Quality — mandatory
Regulatory Affairs lead — strongly recommended
Operations / Manufacturing lead — recommended
Clinical / R&D lead — recommended (if applicable)

A common nonconformance I see: the Quality Manager holds the review without executive participation, then presents results to leadership in a separate meeting. That does not satisfy clause 5.6. The standard requires top management to be present in the review itself — not just briefed afterward.

Required Inputs: All 8 Categories Under Clause 5.6.2

Clause 5.6.2 of ISO 13485:2016 explicitly lists eight input topics. Every single one must be addressed in your management review record. Here's what each one means in practice:

1. Feedback

This includes customer complaints, customer satisfaction data, and any post-market surveillance information. Under ISO 13485, feedback is directly linked to patient safety — don't treat it as a customer service metric. Include complaint trend data, resolution rates, and MDR/vigilance reportability analysis if applicable.

2. Complaint Handling

Distinct from general feedback, this input focuses specifically on your complaint handling process performance. How many complaints were received? How many were investigated? What were resolution times? Were any reportable to FDA, Notified Bodies, or Health Canada?

3. Reporting to Regulatory Authorities

Summarize any mandatory reports made to regulatory bodies during the review period: MDRs (21 CFR Part 803), vigilance reports (EU MDR Article 87), adverse event reports, field safety corrective actions (FSCAs), and their outcomes.

4. Audits

Cover both internal audits and any external audits (Notified Body, FDA, third-party supplier audits). Summarize findings, nonconformances, observations, and the status of corrective actions. Audit trends over time are especially valuable here.

5. Monitoring and Measurement of Processes

Review key process performance indicators (KPIs): on-time delivery, production yield, sterilization validation status, calibration compliance, and any other metrics your organization uses to monitor QMS processes.

6. Monitoring and Measurement of Product

This input addresses product nonconformances, in-process rejections, final inspection results, and product release data. Trends in product quality metrics belong here.

7. Corrective and Preventive Actions (CAPA)

Provide a status update on open and closed CAPAs. Are they being completed on time? Are root causes being addressed? Is there repeat recurrence? This is one of the most audit-sensitive inputs — weak CAPA performance surfaces quickly.

8. Follow-Up Actions from Previous Management Reviews

Every action item from your last management review must be reviewed for completion status. Unresolved items with no documented justification are a red flag for auditors.

Citation hook: Organizations that fail ISO 13485 management review audits most commonly lack documented evidence that all eight required clause 5.6.2 inputs were formally reviewed — not that the reviews didn't occur at all.

Additional Inputs to Consider (Beyond the Mandatory Eight)

While the eight inputs above are non-negotiable, best-practice organizations also include:

Changes affecting the QMS — new regulations, product line expansions, facility changes, acquisitions
Post-market clinical follow-up (PMCF) / Post-Market Surveillance (PMS) data — especially critical under EU MDR/IVDR
Supplier performance trends — quality agreements, supplier audits, incoming inspection failure rates
Regulatory landscape updates — FDA guidance changes, EU MDR transition deadlines, Health Canada amendments
Risk management review status — per ISO 14971:2019, risk files should be reviewed periodically

These additions demonstrate QMS maturity and substantially reduce the likelihood of surprise audit findings.

Required Outputs: What Clause 5.6.3 Demands

ISO 13485:2016 clause 5.6.3 requires that management review outputs include decisions and actions related to:

Output Category	What This Means in Practice
Improvement of QMS effectiveness	Specific initiatives to close identified gaps
Improvement related to customer and regulatory requirements	Process or product changes needed to maintain compliance
Resource needs	Budget allocations, headcount, equipment, training

"Decisions and actions" is the operative phrase. Vague outputs like "Continue to monitor complaints" or "CAPA system looks good" do not satisfy clause 5.6.3. Each output must be:

Specific: What will be done?
Assigned: Who owns it?
Time-bound: By when?

Think of it as the management review generating a mini project plan — a table of action items with owners, due dates, and success criteria.

Sample Output Structure

Action Item	Owner	Due Date	Success Criteria
Revise complaint handling SOP to reduce resolution time	QA Manager	2026-06-30	Average resolution ≤ 20 business days
Qualify backup supplier for critical component XYZ	Procurement Lead	2026-07-31	Supplier audit completed; approved supplier list updated
Conduct refresher CAPA training for engineering team	HR / QA	2026-05-31	100% completion rate documented

How Frequently Must Management Reviews Be Conducted?

ISO 13485:2016 clause 5.6.1 requires reviews at "planned intervals" — it does not specify a minimum frequency. However, this ambiguity is constrained by several real-world factors:

Regulatory Context Matters

FDA 21 CFR Part 820 (legacy QSR): Requires management review at "defined frequencies" — in practice, FDA investigators have cited annual reviews as the accepted minimum
EU MDR (2017/745): Notified Bodies interpreting EU MDR/IVDR quality system requirements via EN ISO 13485 typically expect at least annual reviews, with more frequent reviews for higher-risk devices
ISO 13485:2016 itself: Leaves frequency to the organization but requires the intervals to be defined in your QMS documentation

Company Stage / Risk Level	Recommended Frequency
Startup / Pre-certification	Quarterly (builds discipline and records)
Certified, Class I/II devices	Annually (minimum), semi-annually preferred
Certified, Class III / high-risk devices	Semi-annually or quarterly
Post-recall or major CAPA	Quarterly until stability demonstrated
Post-EU MDR transition	Semi-annually (Notified Bodies are watching closely)

The most defensible position: Define your review frequency explicitly in your QMS procedure (e.g., "Management reviews shall be conducted at minimum annually, with additional reviews triggered by significant quality events or regulatory changes"). This demonstrates planning and gives you flexibility without ambiguity.

Citation hook: ISO 13485:2016 does not mandate a specific review frequency, but FDA and EU Notified Body expectations consistently treat an annual cadence as the minimum acceptable standard for certified medical device manufacturers.

Records: What You Must Retain

Clause 5.6.1 explicitly states that records of management reviews shall be maintained. These records are a required documented output — not optional.

Your management review record must contain, at minimum:

Date and attendees (with signatures or electronic acknowledgment)
Evidence that all eight clause 5.6.2 inputs were addressed (summary or referenced supporting documents)
All decisions and actions per clause 5.6.3 (with owners and due dates)
Status of follow-up items from previous reviews

Records must be controlled per clause 4.2.5 (Document and Record Control). Retention period is typically aligned with your device's product lifetime plus applicable regulatory retention requirements — often a minimum of 5 years, and up to the life of the device plus 2 years under FDA requirements.

In my eight-plus years of consulting experience, these are the most common nonconformances auditors write against clause 5.6:

Missing inputs: One or more of the eight required inputs not addressed (most commonly: reporting to regulatory authorities, or follow-up on prior actions)
No top management involvement: Reviews conducted or signed off by Quality alone, without verified executive participation
Vague outputs: Action items that lack owners, due dates, or measurable success criteria
Irregular frequency: Reviews conducted on an ad hoc basis with no defined interval in the QMS procedure
Incomplete records: Attendee lists missing, no evidence inputs were substantively reviewed, or outputs not formally documented

Avoiding these five findings alone will put your organization in the top tier of management review compliance.

How to Build a Bulletproof Management Review Process

Here's the practical framework I implement with clients at Certify Consulting:

Step 1: Define Frequency and Triggers in Your QMS Procedure

Document your review schedule (e.g., "annually in Q4, plus ad hoc reviews triggered by Class II+ nonconformances or regulatory actions"). Make it part of your QMS policy.

Step 2: Assign a Management Review Coordinator

Typically the Quality Manager or QMS Administrator. This person owns agenda preparation, input data collection, scheduling, and record maintenance — but is not the decision-maker.

Step 3: Build a Standardized Input Package

Create templates for each of the eight required inputs. Assign data owners (e.g., Complaints → Regulatory Affairs, Audits → Internal Audit Program Manager). Set data submission deadlines 2–3 weeks before the review.

Step 4: Use a Structured Agenda

The agenda should mirror the eight inputs, allocate time for discussion and decision-making, and reserve the final 15 minutes for action item confirmation.

Step 5: Document Outputs in Real Time

Use a live action log during the meeting. Don't reconstruct it from memory afterward — auditors can tell. Each action item is captured with owner, due date, and success criteria before the meeting ends.

Step 6: Track Actions to Closure

Integrate management review action items into your CAPA or task management system. Review open items at your next management review — this becomes your clause 5.6.2(h) input.

Management Review vs. Quality Council vs. Quality Meeting: Know the Difference

A common source of confusion: organizations confuse routine quality meetings with the formal management review.

Activity	Frequency	Participants	ISO 13485 Clause
Management Review	Planned intervals (min. annually)	Top management required	5.6
Quality Council / Steering Committee	Monthly or quarterly	Quality + operational leaders	Not specifically required
QMS Metrics Review / Operations Meeting	Weekly or monthly	Quality + operations	Not specifically required

Routine quality meetings support QMS operation but do not substitute for a formal management review. Your formal management review must stand alone, with its own agenda, records, and documented outputs.

Common Questions About ISO 13485 Management Review

For additional context on QMS documentation requirements that feed your management review inputs, see our guide on ISO 13485 Document Control Requirements. And if your CAPA system is generating the action items that management review must track, our resource on ISO 13485 CAPA Requirements provides the foundational framework.

Summary: The Management Review Compliance Checklist

Use this checklist before every management review to ensure audit readiness:

[ ] Top management attendance confirmed and documented
[ ] Frequency consistent with QMS procedure
[ ] All 8 clause 5.6.2 inputs prepared and included in agenda
[ ] Supporting data gathered from process owners in advance
[ ] Prior management review action items status reviewed
[ ] Outputs include specific actions, owners, and due dates
[ ] Record completed, signed, and filed under document control
[ ] Action items entered into CAPA or task tracking system

Jared Clark is the Principal Consultant at Certify Consulting, where he has led 200+ medical device companies through ISO 13485 certification with a 100% first-time audit pass rate. He holds credentials including JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, and RAC.