--- title: MDR QMS Management Review: How to Run It Efficiently Using ISO 13485 description: Management review under ISO 13485 clause 5.6 is where the CEO signs off on the QMS. Here is how to run it efficiently in a small team without turning it into theatre. authors: Tibor Zechmeister, Felix Lenhard category: Quality Management Under MDR primary_keyword: QMS management review MDR startup canonical_url: https://zechmeister-solutions.com/en/blog/mdr-qms-management-review-startup source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # MDR QMS Management Review: How to Run It Efficiently Using ISO 13485 *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **Management review is the meeting where top management — in a startup, the CEO and the founding team — takes responsibility for the QMS by looking at a defined set of inputs, making defined decisions, and recording the outputs. Clause 5.6 of EN ISO 13485:2016+A11:2021 specifies exactly what goes in and exactly what must come out. MDR Article 10(9) makes the QMS itself a legal obligation, and MDR Annex IX gives the Notified Body explicit authority to inspect management review records. A small team can run the review efficiently by scheduling it at a fixed cadence, preparing the inputs package in advance, running the meeting in ninety minutes, and writing minutes that any auditor can trace. The failure mode to avoid is management review as theatre — a meeting that produces a document nobody ever reads again.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - Management review is not optional. Clause 5.6 of EN ISO 13485:2016+A11:2021 makes it a mandatory QMS process, and MDR Article 10(9) makes the QMS itself a legal obligation. - The required inputs are specified in clause 5.6.2 and the required outputs in clause 5.6.3. Miss one of them and the review is incomplete as a matter of standard conformity. - The cadence is "at documented planned intervals." For most startups, twice a year is the defensible minimum; quarterly is better during the year before first certification. - The right attendees are top management plus the owners of the data being reviewed. In a three-person startup that is usually the whole team. - A management review that produces a document nobody acts on is worse than no review at all — it creates a traceable record of known problems left to rot. Every decision needs an owner and a date. --- ## Why management review exists at all Management review is the one process in the QMS where the buck actually stops with the CEO. Every other process can, in principle, be delegated to a process owner. Management review cannot. Clause 5.6 of EN ISO 13485:2016+A11:2021 is explicit that top management shall review the QMS at documented planned intervals to ensure its continuing suitability, adequacy, and effectiveness. "Top management" is defined in the standard — it means the person or group at the highest level directing and controlling the organization. In a startup, that is the CEO and the co-founders, not the RA lead or a hired consultant. The reason the standard puts this obligation on top management is straightforward. The QMS is the mechanism by which the company controls the safety and performance of its medical devices. If the person running the company does not personally look at how that mechanism is performing, at a defined cadence, with a defined set of data in front of them, then there is no real management accountability for the QMS — there is only the appearance of it. MDR Annex IX, which governs the full QMS assessment route for most higher-class devices, explicitly authorises the Notified Body to inspect records of management review as evidence that top management is engaged. A missing or fictional management review is one of the fastest ways for a Notified Body auditor to downgrade their confidence in the entire QMS. The practical version for a startup: management review is the meeting where the CEO looks the QMS in the eye, twice a year, with the real numbers in front of them, and signs off — or asks for changes. ## The inputs clause 5.6.2 actually requires Clause 5.6.2 lists the inputs to management review. The list is prescriptive. A review that skips any of these inputs is not complete. The required inputs are: feedback from monitoring and measurement (including customer feedback, complaints, and post-market surveillance data); results of audits (internal audits, supplier audits, and external audits where applicable); the status of corrective and preventive actions; follow-up actions from previous management reviews; changes that could affect the QMS (new products, new regulatory requirements, organisational changes, changes to applicable standards); recommendations for improvement; applicable new or revised regulatory requirements; process performance and product conformity data; and reporting on the handling of complaints and the need for advisory notices or other field actions. Read that list carefully. Every bullet maps to a QMS process that should already be running. Customer complaints come from the complaint-handling process. Internal audit results come from the internal audit process. CAPA status comes from the CAPA process. PMS data comes from the PMS system required by MDR Article 83. Management review is not creating new data — it is the consolidation point where all the existing data lands in one place, in front of the CEO, so that the CEO can draw conclusions. The simplification startups make most often is to prepare a management review presentation that contains none of the above and instead lists "QMS status: green." That is not a management review. That is a status slide. If the minutes of the review do not show specific data against each of the clause 5.6.2 inputs, the Notified Body auditor will find that gap within ten minutes of opening the file. ## The outputs clause 5.6.3 actually requires Clause 5.6.3 specifies what must come out of management review. The outputs are: the improvements needed to maintain the suitability, adequacy, and effectiveness of the QMS and its processes; improvement of product related to customer requirements; changes needed to respond to applicable new or revised regulatory requirements; and resource needs. Each of these four output categories needs a concrete answer. Not "no changes needed" written four times. A real answer, with a decision, an owner, and a target date, for every output area that the inputs have flagged. If the inputs showed an internal audit non-conformity in CAPA, the outputs should include the corrective action and who owns it. If the inputs showed a new MDCG guidance document was issued since the last review, the outputs should include the gap analysis assignment and when it is due. If the inputs showed the RA lead was overloaded, the outputs should include the resource decision — hire, outsource, or de-scope. Outputs without owners and dates are decorative. The single most useful discipline in writing management review minutes is that every decision in the outputs section has a name next to it and a date next to the name. ## The cadence that actually works Clause 5.6.1 says the review has to happen "at documented planned intervals." The standard does not name a specific frequency. Notified Body auditors expect the frequency to be defensible against the risk class, the size of the organisation, the maturity of the QMS, and the pace of change in the company and in the regulatory landscape. For most startups, the defensible minimum is twice a year. Once a year is technically permissible but rarely survives an audit when the company is pre-certification or in the first two years post-certification, because too much changes inside six months to claim that a single annual look is enough oversight. Quarterly reviews are better during the build-up year before first Notified Body assessment, because they give the team a rhythm and force the CEO to engage with the QMS data four times before the real audit. Once the company is mature — stable device, stable QMS, multiple audit cycles with no major findings — the frequency can relax back to twice a year or even annually, with the justification documented. The frequency itself is a management review output: at each review, the team confirms that the current cadence is still appropriate, or changes it. The concrete pattern that works: put the management review dates in the calendar twelve months ahead, as unmoveable standing meetings. A review that slips by two months because "we are busy" is exactly the pattern a Notified Body auditor is trained to catch. ## Who attends the review Clause 5.6 requires top management to conduct the review. In a startup, that is the CEO and the co-founders. In addition to top management, the people whose data is being reviewed should be in the room, because the review is more efficient when the process owner can answer a question directly instead of the CEO chasing them afterwards. For a three-person startup, this usually means the whole team attends. For a ten-person startup, the minimum attendees are the CEO, the person responsible for the QMS (often the quality lead or RA lead), the CTO or head of engineering for the product-conformity inputs, and anyone who owns a specific input area that is likely to produce a decision — for example, the person running PMS if there has been a signal in the PMS data. The PRRC designated under MDR Article 15, if this role is external to the company, should receive the inputs package and the outputs, even if they do not attend every meeting. Their sign-off on the regulatory compliance side of the review is useful as evidence of oversight. One attendance rule is absolute: the CEO must actually be in the room. A management review where the CEO delegated their presence is not a management review under clause 5.6. If the CEO cannot attend on the scheduled date, the review is rescheduled, not delegated. ## How to prep the inputs package The single biggest determinant of whether a management review is efficient or wasted is how well the inputs package is prepared before the meeting. The meeting itself should not be where the data is gathered — the meeting is where the data is reviewed. A good prep cycle runs two to three weeks before the review. The quality lead or RA lead collects the data for each of the clause 5.6.2 input areas and assembles them into a single document. The document does not need to be long. For each input area, it needs the data, a short commentary on what the data shows, and the specific question for management: is this acceptable, does it require action, does it change anything in the QMS. A minimal inputs package looks like this. Customer feedback and complaints: number received in the period, categorised, with any serious ones called out individually. Internal audit results: which audits were run, non-conformities found, CAPA status. External audit results: any Notified Body or third-party audit activity in the period. CAPA status: number open, number closed, any overdue. Previous management review actions: each one listed with current status. Changes affecting the QMS: list of changes since the last review (new products, regulatory changes, personnel changes). PMS data: summary of PMS signals and any trends. Regulatory updates: any new or revised MDR articles, MDCG guidance, or harmonised standard editions that affect the company since the last review. Resources: current team load, any gaps the quality lead is aware of. Send the package to attendees a week before the meeting. Ask them to read it before the meeting. The meeting starts with the CEO working through the package, not with the quality lead reading the package aloud to the room. ## How to document the review The output of the meeting is the management review record. Clause 5.6.1 requires that records from management reviews be maintained. The Notified Body will ask to see these records, and they will be read carefully. A good management review record contains: the date and the attendees, a reference to the inputs package (which is itself kept in the QMS records), a section for each of the 5.6.2 input areas with the conclusion top management drew, a section for each of the 5.6.3 output areas with the decisions made, and — critically — an action list where every decision has an owner, a description, and a target date. The record should be short. Ten pages of prose is worse than three pages of structured conclusions. The purpose of the record is to allow the reader — the Notified Body auditor, or the next management review — to see what was decided, who owns it, and whether it was done. A record that buries the decisions in narrative is a record that helps no one. The record is signed by top management. For a startup, that is the CEO's signature (electronic is fine, under a controlled e-signature process consistent with the document control procedure). Unsigned management review records are a common audit finding. ## Common mistakes and management review theatre The common mistakes are predictable and they come up in Notified Body audits every week. **The status-slide review.** A one-page document with "QMS status: green" and no data. Fails clause 5.6.2 the moment the auditor opens it. **The copied review.** Last period's minutes with the dates changed. This actually gets caught because the CAPA numbers, audit findings, and action dates do not line up with the records in the rest of the QMS. Auditors compare records across files. **The delegated review.** The CEO signed but was not in the room, and the minutes show the meeting was led by the quality lead. Fails the top management engagement requirement. **The no-decision review.** Inputs listed, but the outputs section says "no actions required." This is possible in a very mature QMS with a very clean period, but for a startup it is almost always a signal that the review did not actually look at the data. A startup that has zero decisions coming out of a management review has a review process that is decorative. **The orphaned action list.** Decisions recorded with owners and dates, but no mechanism to check whether the actions were done. At the next review, the follow-up inputs section cannot be completed honestly because nobody tracked the actions between meetings. Fix this by putting the action list into the same tracker used for CAPAs and internal audit follow-ups. **The management review that never feeds CAPA.** Non-conformities or observations surfaced during the review that should have been opened as CAPAs but were instead noted as "to be monitored." If the issue is real enough to discuss in management review, it is real enough to be a CAPA under clause 8.5.2. ## The Subtract to Ship approach to management review The default failure mode in startup management review is not skipping it. It is running a bloated theatrical version that takes a full day, produces a thick deck, and changes nothing. Subtraction means three things. First, prepare the inputs package in advance and keep the meeting itself to ninety minutes. The meeting is for decisions, not for data gathering. Second, write short structured minutes with every decision tied to an owner and a date, instead of long narrative minutes that read like a meeting transcript. Third, trace every item in the minutes directly to a clause 5.6.2 input or a clause 5.6.3 output. Every sentence that is not anchored to a specific requirement is waste. What you keep: top management presence, the full 5.6.2 input set, the full 5.6.3 output set, the action list with owners and dates, the documented cadence, and the signed record. That is what clause 5.6 actually requires. Everything else is theatre. ## Reality Check — Where do you stand? 1. Do you have the next two management reviews on the calendar, with dates that are not going to move? 2. Can you name the person responsible for preparing the inputs package, and does that person know what clause 5.6.2 requires? 3. At your last management review, did the minutes show data against every 5.6.2 input area, or were some areas skipped or summarised as "nothing to report"? 4. At your last management review, did the outputs section contain concrete decisions with owners and dates for each 5.6.3 output area? 5. Is every action from your last management review traceable today — either closed with evidence or still open with a current owner and a current status? 6. Was the CEO physically present at the last management review, and is the record signed by top management? 7. If a Notified Body auditor asked to see the management review records for the last twenty-four months, could you produce signed records for every review at the documented cadence? ## Frequently Asked Questions **How often does management review have to happen under ISO 13485?** Clause 5.6.1 of EN ISO 13485:2016+A11:2021 requires management review at documented planned intervals but does not set a specific frequency. For most startups, twice a year is the defensible minimum, and quarterly is better in the year before first Notified Body assessment. The frequency must be justified against the risk class, the size of the organisation, and the pace of change in the company and the regulatory environment. **Who has to attend a management review in a startup?** Clause 5.6 requires top management to conduct the review. In a startup, that is the CEO and co-founders. In practice, the quality or RA lead and the process owners for the inputs being reviewed also attend, which in a three-person startup usually means the whole team. The CEO's presence is not delegable — a review without top management is not a management review under clause 5.6. **What are the mandatory inputs to management review?** Clause 5.6.2 of EN ISO 13485:2016+A11:2021 lists them explicitly: monitoring and measurement feedback including customer complaints and PMS data, audit results, CAPA status, follow-up from previous reviews, changes affecting the QMS, recommendations for improvement, new or revised regulatory requirements, process performance and product conformity data, and complaint handling and field action needs. Every one of these must be addressed in the minutes. **What are the mandatory outputs of management review?** Clause 5.6.3 requires decisions and actions related to improvement of the QMS and its processes, improvement of product related to customer requirements, changes to respond to new or revised regulatory requirements, and resource needs. Each of the four output areas should produce a concrete decision with an owner and a date when action is required. **Can the CEO skip management review and delegate to the quality lead?** No. Clause 5.6 places the obligation on top management personally. A management review where the CEO is absent and the quality lead signs on their behalf does not meet the standard and will be flagged by any competent Notified Body auditor reviewing the records. **Does the Notified Body see management review minutes?** Yes. Under MDR Annex IX, the full QMS assessment route explicitly includes review of management review records. The minutes, the inputs package, the signed record, and the action list are all within scope, and they are compared for consistency with the rest of the QMS records — audit files, CAPA files, PMS files, and training records. **What happens if a management review is late?** Record the delay, record the reason, and hold the review as soon as possible. At the next review, the slippage itself becomes an input under "follow-up from previous reviews" and the CEO should sign off on a correction to the cadence plan. Repeated slippage without correction is a sign the review process is not being treated as a real obligation, and a Notified Body auditor will treat it accordingly. ## Related reading - [The Subtract to Ship Framework for MDR Compliance](/blog/subtract-to-ship-framework-mdr) — the methodology this management review discipline is built on. - [What Is a Quality Management System for Medical Devices?](/blog/what-is-quality-management-system-medical-devices) — the pillar post for the QMS cluster, where management review sits as a top management process. - [How to Build a Lean QMS for an MDR Startup](/blog/build-lean-qms-mdr-startup) — the operational playbook for the QMS the review is reviewing. - [The Minimum Viable QMS for a Medical Device Startup](/blog/minimum-viable-qms) — the smallest honest QMS that still runs real management reviews. - [MDR Management Responsibility: What the CEO/Founder Must Own](/blog/management-responsibility-mdr) — the companion post on top management accountability under clause 5.5 and 5.6. - [CAPA Under MDR and EN ISO 13485:2016](/blog/capa-mdr-iso-13485) — the process that receives the actions coming out of management review. - [CAPA Without Bureaucratic Overhead](/blog/capa-without-bureaucratic-overhead) — how to keep the action list from management review lean and real. - [Internal Audits Under MDR](/blog/internal-audits-startup) — the source of one of the required 5.6.2 inputs. - [Common MDR QMS Audit Non-Conformities](/blog/common-qms-audit-nonconformities) — the patterns management review is meant to catch before the Notified Body does. - [QMS Audit Preparation Checklist](/blog/qms-audit-preparation-checklist) — how to walk into a Notified Body audit with clean management review records. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10 (general obligations of manufacturers, including paragraph 9 on the quality management system) and Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation). Official Journal L 117, 5.5.2017. 2. EN ISO 13485:2016+A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes. Clause 5.6 (Management review), including 5.6.1 (General), 5.6.2 (Review input), and 5.6.3 (Review output). --- *This post is part of the Quality Management Under MDR cluster in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. Management review is where the CEO takes personal responsibility for the QMS. Run it at a documented cadence, prepare the inputs honestly, decide with owners and dates, and sign the record — and it becomes one of the most valuable hours on the CEO's calendar rather than a recurring piece of theatre.* --- *This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*