You know the meeting. Someone schedules it for a Tuesday afternoon. Three of the seven people invited send regrets. Two more show up without having read anything. The CEO joins for the last fifteen minutes, says “great work, team,” and leaves. Someone takes notes that read, in their entirety, “Quality is good. Continue improving.” That folder gets stamped Management Review 2025 and tucked into a binder, where it will live in peace until next year — or until an auditor asks to see it, at which point it will become the single most embarrassing document in your QMS.
That isn’t a management review. That’s a calendar event with snacks. ISO 13485 §5.6 has opinions about the difference.
What §5.6.1 actually requires
Top management must review the QMS at planned intervals to make sure it’s still suitable, adequate, and effective. Three different words doing three different jobs:
- Suitable: Does the QMS still fit the company you are now? You’re not the same business you were three years ago. New product line, new facility, new market — did the QMS keep up, or is it still describing the company you used to be?
- Adequate: Does it actually cover what the regulations require? New rules drop, new markets get added, and your QMS either stretches to fit or it doesn’t.
- Effective: Does it work? Are the processes producing the outcomes they’re supposed to produce, or is it all theater?
You need a documented procedure that says how the review happens, and you need records that prove it actually did. The procedure tells the auditor what you intend to do. The records tell them whether you actually did it. Both are required. Neither is optional.
§5.6.2 — The inputs. Yes, all of them.
This is where ISO 13485 stops being polite and hands you a checklist. Your management review must consider:
- Feedback (from customers, users, market surveillance — anywhere you’re hearing about your product)
- Complaint handling
- Reporting to regulatory authorities
- Audit results (internal and external)
- Monitoring and measurement of processes
- Monitoring and measurement of product
- Corrective action
- Preventive action
- Follow-up actions from previous management reviews
- Changes that could affect the QMS
- Recommendations for improvement
- Applicable new or revised regulatory requirements
Twelve items. Twelve. If your management review minutes don’t address every one of them, you have a finding waiting to happen. Auditors love this list precisely because it’s specific. They will ask, “Where in the review did you discuss applicable new or revised regulatory requirements?” If you can’t point at it on the page, you didn’t do it. There is no “we talked about it informally” in regulated industry. Talking is not evidence.
§5.6.3 — The outputs. Things must change.
The review must produce decisions and actions related to:
- Improvements needed to maintain QMS suitability, adequacy, and effectiveness
- Improvements to product related to customer requirements
- Changes needed to respond to new or revised regulatory requirements
- Resource needs
Read that last one twice. Resource needs. If your management reviews never result in leadership committing money, people, or time, then either you are running the most perfectly resourced QMS in the history of medical devices, or you are not having an actual review. I have my suspicion about which one is more likely.
What this looks like in real life
A real management review has an agenda built directly from §5.6.2 — not because the agenda is sacred, but because the standard says so and skipping items is how findings happen. It has prework: somebody actually pulls the data on complaints, audit findings, CAPA aging, process performance, and supplier issues, and writes it up before the meeting. The room contains people with the authority to commit resources, not delegates who have to “take it back to leadership.”
The minutes capture decisions, not just discussion. “Discussed CAPA backlog” is not a decision. “Approved hiring of one additional QE by Q3 to address CAPA backlog” is. The follow-up actions get owners, dates, and a guaranteed slot on next review’s agenda — that’s the “follow-up actions from previous management reviews” bullet, and it’s how the standard makes sure you can’t just keep deferring the same problem forever.
And — this is the one that trips people up — the review happens at planned intervals. Your procedure says how often. Most companies pick annually. Some pick semi-annually. A few high-risk shops review quarterly. Whatever you pick, do it on schedule. “We had to push it back to October because nobody could make September” once is forgivable. Every year? You don’t have a planned interval. You have a wish.
One last word about that binder
Your management review record is the single piece of evidence that proves top management is actually engaged with quality. Auditors open it first because it tells them, in about ninety seconds, whether your QMS is alive or whether it’s a stack of paper cosplaying as one. If your record is a one-page memo with no data, no decisions, no resource commitments, and no signatures, you’ve already told them everything they need to know about how your company treats quality.
So make it count. Pull the data. Have the conversation. Write down what you decided and what you’re going to do about it. Then actually do those things, so next year’s review has something real to report.
That’s not bureaucracy. That’s the whole job.