Management Review Under ISO 13485: What MDR Auditors Actually Look For

Why management review gets audited so carefully

Management review is one of the places where auditors can tell, relatively quickly, whether a QMS is genuinely embedded in how an organisation runs or whether it exists mainly on paper. The records tell a story. If the story they tell is that senior leadership meets once a year, reviews a slide deck with green metrics, and signs off in 45 minutes, auditors know that the QMS is not being actively governed.

ISO 13485 clause 5.6 defines what a management review must cover and what it must produce. MDR adds pressure on top of that by requiring manufacturers to demonstrate ongoing compliance — not just at initial certification, but throughout the device lifecycle. The management review is one of the primary mechanisms for demonstrating that ongoing compliance, which is why auditors treat it seriously.

The required inputs — and why each one matters

ISO 13485 specifies the inputs that must be addressed in a management review. Teams that treat this as a checklist often produce records that technically mention each input without genuinely analysing it. That distinction is visible in the records, and auditors are trained to spot it.

Results of audits — both internal audits and any Notified Body or regulatory audits. This means not just listing that audits occurred, but discussing what they found and what the findings mean for the QMS. If internal audits have been finding the same types of nonconformities for three cycles, that pattern should be explicitly discussed at management review and a systematic response documented.

Customer feedback and complaints — including complaint trends, serious incidents, and the outcomes of vigilance procedures. A management review that lists complaint volumes without discussing whether trends are increasing, what categories are driving them, and whether the current risk-benefit profile remains acceptable is not meeting the intent of this input.

Process performance and product conformity — how well your processes are working and whether product is consistently meeting specifications. If yield rates are fluctuating or process capability is declining, this is a management review input. Senior leadership needs to know about it and make resource decisions.

Regulatory and standards changes — any changes to MDR requirements, relevant harmonised standards, MDCG guidance, or applicable national regulations that affect the QMS or technical documentation requirements. Most manufacturers are aware of major regulatory changes, but many don't have a mechanism to ensure those changes get formally assessed in management review and trigger documented actions where needed.

The outputs that auditors check

The outputs of management review are often where the most visible gaps appear. ISO 13485 requires that management review produce decisions and actions related to QMS improvement, product improvement (related to customer requirements), and resource needs. "We discussed this and agreed to continue monitoring" is not an output. An output is a decision with an assigned owner and a timeline.

Auditors look at the outputs and then follow up: were the actions from the last management review completed? If actions were committed to but not followed through, that signals that the management review process is not producing real accountability. The follow-up section of each management review record — where you close out the actions from the previous cycle — is as important as the new content.

The suitability question most teams skip

ISO 13485 requires management review to address not just QMS performance but QMS suitability and adequacy. These are different questions. Performance asks: are we meeting our targets? Suitability asks: are our targets the right ones given the current state of our business, our device portfolio, and the regulatory environment?

The suitability question becomes particularly important when significant things have changed: a new product line added, a market expanded into, a key regulatory change implemented, major organisational changes. If the QMS was designed for a single Class IIa device and the company has since added a Class III implant and expanded to the US market, the suitability question is whether the QMS is still structured to manage all of that. Many management review records never ask this question.

Frequency and documentation

ISO 13485 requires management review at planned intervals, with the interval defined in the QMS. The minimum is annually, but for companies with active device portfolios and ongoing regulatory activity, annual-only reviews are increasingly viewed by auditors as insufficient. The practical standard is shifting toward reviews at least twice per year, with documented rationale if a longer interval is chosen.

The format of the records matters. Meeting minutes need to be detailed enough that someone who was not in the room can understand what was reviewed, what was concluded, and what was decided. A two-page set of minutes for a management review that claims to have covered ten topics is almost certainly not providing that level of detail.

Building a review that actually works

Management review works best when it is treated as a genuine governance exercise rather than a compliance obligation. That means preparing actual analysis ahead of the meeting — not just compiling slides, but drawing conclusions from the data and presenting leadership with decisions to make. It means assigning action owners in the room, not after the fact. And it means following up in writing on every committed action before the next review.

One practical structure: run a pre-review data compilation two weeks before the meeting. Have each functional owner submit a written summary of their area — complaints, process performance, audit results, regulatory changes — with their preliminary analysis and any proposed actions. Circulate the summaries before the meeting. Use the meeting to discuss the analysis, not to present the data. You will get better decisions and better records.