Management review

Management review is the periodic, formal, evidence-based meeting at which top management of a regulated organisation reviews whether its quality system is working — and is accountable in writing for what they decide as a result. It is the mechanism every major framework uses to enforce executive ownership of quality, rather than allowing the quality system to be quietly delegated to a QA director with no boardroom traction.

It is not a QA team meeting. It is not a status update from the quality department. It is an event at which top management — by which the standards mean the people who can authorise resources, change strategy, and stop production — reviews defined inputs, makes documented decisions, and assigns dated actions. The minutes are themselves a controlled QMS record and are routinely the first artefact a regulatory inspector reads when assessing 'tone at the top'.

FDA's QSIT (Quality System Inspection Technique) guide explicitly names management review as one of four 'subsystems' an inspector covers in every comprehensive inspection. Notified Bodies (BSI, TÜV SÜD, DEKRA) request the last three years of management-review minutes within the first hour of an MDR / ISO 13485 audit. MDSAP auditors have specific scripted questions about whether all required inputs were considered. The reason is simple: if top management does not own quality, no amount of CAPA or document control downstream will keep the system running.

What inspectors look for in the minutes is not the meeting itself but the consequences. Decisions made, resources reallocated, scope of CAPA effectiveness reviewed, repeat findings escalated, customer complaints driving redesign discussion. Minutes that read 'CAPA system reviewed — operating effectively' with no quantitative discussion and no actions are read as evidence of theatre. Minutes that read 'CAPA effectiveness pass rate declined from 92% to 78% — root cause: insufficient time being given to effectiveness verification at site B; action: dedicated QA reviewer headcount approved for site B Q3, monthly status to next review' are read as evidence the system is alive.

FDA warning letters citing 820.20(c) typically use one of three wordings: 'failure to establish a procedure for management review', 'management reviews were not conducted at defined intervals', or — most commonly — 'management reviews did not address all required inputs'. The third is the easiest to fall into and the easiest to defend against: a checklist of required inputs, included in every meeting pack, with a 'considered / no change recommended' note against each that does not need extended discussion.

Management review is one of the most universally required QMS elements. The clauses differ in level of prescription — ISO 13485 §5.6 is the most prescriptive about inputs and outputs, FDA 820.20(c) is the most outcome-focused.

ISO 13485 §5.6.2 is the most explicit clause on inputs and is widely used as the gold-standard checklist even by organisations not certified to 13485, because covering all of §5.6.2 typically covers all other regimes' input requirements as well. The mandatory inputs:

1. Feedback (including customer feedback and complaints).
2. Complaint handling — volume, trends, categorisation, time to closure.
3. Reporting to regulatory authorities (vigilance / MDR / field-safety notices) and any actions arising.
4. Audits — internal, regulatory, supplier; findings, status, trends.
5. Monitoring and measurement of processes — KPI performance, process capability.
6. Monitoring and measurement of product — release vs. specification, OOS / OOT rates.
7. Corrective action — CAPA volume, effectiveness, repeat-root-cause flags.
8. Preventive action — proactive risk-reduction actions and their status.
9. Follow-up actions from previous management reviews — open, in-progress, closed, slipped.
10. Changes that could affect the quality system — regulatory changes, organisational changes, new products, new sites.
11. Recommendations for improvement.
12. Applicable new or revised regulatory requirements.

ISO 9001 §9.3.2 adds: status of quality objectives; performance of external providers; adequacy of resources; effectiveness of actions taken to address risks and opportunities. ICH Q10 §2.6 adds explicitly: results of any inspections; emerging issues that may affect the PQS.

Outputs are what an inspector reads to judge whether the review actually changed anything. ISO 13485 §5.6.3 is again the most explicit:

1. Improvements needed to maintain the suitability, adequacy and effectiveness of the QMS and its processes.
2. Improvements to product related to customer requirements.
3. Changes needed to respond to applicable new or revised regulatory requirements.
4. Resource needs.

ISO 9001 §9.3.3 specifies decisions and actions related to opportunities for improvement, any need for changes to the QMS, and resource needs. ICH Q10 §2.6 emphasises that outputs should include 'actions arising from the review' with owners and timelines.

In practice, the outputs section of the minutes should read like a project tracker, not a discussion summary. Each output line carries: a description; a named owner with executive accountability; a target date; the next review checkpoint. The next management review's first input is the status of those actions — closing the loop.

Every clause says 'at defined intervals' and leaves the actual frequency to the organisation, provided it is risk-justified and consistently followed. Industry norms:

Annual is the floor that every regime tacitly accepts but no inspector likes for any non-trivial organisation. If you choose annual, your justification needs to demonstrate that more frequent operational reviews exist downstream and that the annual is a true strategic check, not the only check.

Skipping a scheduled review is far worse than holding it short. If the calendar has 'quarterly' and a quarter is skipped, the inspector finds the gap immediately and reads it as failure of the management commitment clause itself. If you cannot hold the full meeting, hold a short documented review of the most-critical inputs and book the deep-dive separately.

The standards use 'top management' (ISO) or 'management with executive responsibility' (FDA QSR) as a specific term: the person or group that directs and controls the organisation at the highest level. In a small organisation, that may be the CEO and one or two functional heads. In a large one, it is the executive team. The QA director chairing alone is not management review — it is QA reporting.

Typical attendee list for a mid-size regulated manufacturer:

• CEO or General Manager (chairs, or formally delegates with documented authority).
• Head of Quality Assurance (presents inputs, owns the meeting pack).
• Head of Regulatory Affairs (regulatory landscape, vigilance/MDR position).
• Head of Operations / Manufacturing (process performance, capacity, resource needs).
• Head of R&D / Product (changes affecting QMS, new products in pipeline).
• Head of Supply Chain (supplier performance, supplier audit outcomes).
• Head of Customer Service / Field Service (complaints, post-market signals).
• Site quality leads for each manufacturing site (status by site).
• Optional: legal, finance, IT/data integrity, cybersecurity, sustainability — invited when topics warrant.

Apologies are recorded in the minutes. Persistent absence by a required attendee — particularly by the CEO or designated senior manager — becomes its own audit finding because it undermines the executive-ownership clause.

A management review that earns the minutes-as-evidence treatment runs to a tight agenda mapped 1:1 against the required inputs. A workable shape for a quarterly review:

1. Open — confirm quorum, confirm minutes of previous meeting, accept agenda.
2. Status of previous-meeting actions — every action read out with owner and current status; closed actions confirmed, open actions explicitly forwarded.
3. Regulatory landscape — new or revised regulations, vigilance/MDR status, recent inspections.
4. Customer feedback and complaints — volume, trends, severity, time-to-closure, repeat issues.
5. Internal and external audit programme — schedule status, findings, repeat findings, supplier audit highlights.
6. Process and product performance — KPI scorecard, release-rate, OOS/OOT rate, on-time delivery.
7. CAPA — open volume, ageing, effectiveness pass rate, repeat-root-cause flags.
8. Risk register — top risks, changes since last review, new risks emerging.
9. Changes affecting the QMS — organisational, new sites, new products, system changes.
10. Resource adequacy — headcount, capability, system tooling, training capacity.
11. Improvement opportunities — proposals on the table, decisions taken.
12. Decisions and actions — explicit roll-call of every decision with owner and date.
13. Close — confirm date of next meeting, distribute draft minutes for review.

Most reviews benefit from a pre-read pack distributed 5-7 days ahead, so the meeting itself is decision-focused rather than data-presentation-focused. The pack is itself a controlled document and a retention record.

Minutes that pass inspection share specific properties. Most quality-system maturity in this area shows up in the minutes themselves.

• Header: date, location, attendees and apologies, chair, minute-taker, version.
• Approval block: signed by chair (and often by minute-taker), date of approval. Two-person e-signature where the chair is not also the QA owner.
• Section per required input — even if a single line. 'Reporting to regulatory authorities — nil this period' is acceptable; absence of the heading is not.
• Quantitative content where the input is quantitative. 'Complaint volume reviewed' is weak; 'Complaint volume: 47 (Q1: 52, Q4-prior: 61) — downward trend, no severity escalation' is strong.
• Decisions and actions in a structured table — description, owner, target date, status field for next-review update.
• Cross-references — citation of the source records (CAPA IDs, audit report numbers, complaint cluster IDs) so an inspector can drill into any input.
• Retention statement — minutes retained per QMS retention SOP, typically 10 years or life-of-product + relevant tail.

The slides or screens that drive a good management review do not change much month-to-month — the value is in the trend. A workable KPI pack covers:

• Right-first-time / batch release rate — last 13 months, by site and product family.
• OOS / OOT rate — count and rate, with severity split.
• Deviations — count, trend, top three root-cause families, average time to closure.
• CAPA — open count, average age, effectiveness pass rate (target ≥85%), repeat-CAPA count.
• Complaints — total, by severity, by product family, time-to-closure, regulatory-reportable subset.
• Field-safety / vigilance — events reported, status of investigation, regulator interactions.
• Internal audit — % of programme completed, findings by severity, top three repeat themes.
• External audit / regulatory inspection — outcomes since last review, Form 483 observations, warning-letter risk register.
• Supplier quality — top-10 supplier scorecard, supplier-NCR rate, supplier-audit outcomes.
• Training compliance — % of training current on the population, % of overdue on required SOPs.
• Document control — open change requests, overdue periodic reviews, version-rollout adoption.
• Risk register — top risks, residual risk movement, new risks added.
• Resources — headcount vs. plan in QA / operations, vacancies, training-pipeline.
• Customer / market — on-time delivery, customer scorecard ratings.
• Cybersecurity / data integrity — incidents, audit-trail review status, Annex 11 / Part 11 anomalies.

A mature dashboard surfaces each metric with: current value, prior period, 13-month sparkline, target / threshold, owner. If any metric requires interpretation, a one-line commentary block under it does the job. Big slide-decks of unannotated charts are the enemy of decision-making and a frequent audit-comment trigger.

• 'Management reviews were not conducted at defined intervals' — gaps in the schedule, no documented justification for slippage.
• 'Management reviews did not address all required inputs' — most-common ISO 13485 §5.6.2 finding; structural fix is a checklist-driven pack.
• 'Outputs were not documented as actions with owners and dates' — minutes read as discussion summaries, not as decisions.
• 'Previous-meeting actions were not reviewed for closure' — actions assigned at meeting N never appear at meeting N+1.
• 'Top management did not attend' — chair was the QA director with no executive attendee; defeats the executive-ownership clause.
• 'Procedure for management review does not exist or is not followed' — the meta-failure; SOP must define frequency, attendees, inputs, outputs, minutes process, retention.
• 'Quality objectives status not reviewed' — ISO 9001 §9.3.2 specific input; commonly missed when the organisation has objectives only in the strategic plan and not in the QMS.
• 'Effectiveness of CAPA system not addressed' — CAPA volume reported but pass rate, repeat rate and trend not discussed.
• 'Resource adequacy not assessed' — minutes record performance but never the headcount / capability question; one of the clauses most-easily overlooked.
• 'New or revised regulatory requirements not reviewed' — regulatory landscape input absent or generic; particularly common around MDR transition, Annex 1 revision, MoCRA, FSMA 204.

Where the management-review pack and minutes are assembled and stored in a computerised system, the records inherit the full data-integrity obligation. ALCOA+ at the record level. Audit trail on every change to the pack and to the minutes. Two-person e-signature where the chair is not also the records owner. Locked-after-approval state on the minutes. Retention aligned with the SOP-defined retention (typically 10 years or life of product + relevant tail).

Three traps worth designing out: (1) draft minutes circulated as unsigned PDFs and then approved by email — that breaks the audit-trail-on-the-record principle. The approval must happen in the system. (2) The KPI pack regenerated post-meeting because someone notices a number was wrong — the original-as-presented pack must be retained, with the corrected version added as a supplement. (3) Action-tracker maintained outside the QMS — actions assigned at the meeting must live in the same system as the minutes, with audit trail on status changes, otherwise the closure evidence becomes unreliable.

• % of scheduled reviews held on date (target 100%; slippage triggers SOP review).
• Required-input coverage rate (target 100% per ISO 13485 §5.6.2 checklist).
• Top-management attendance rate (target ≥95%; persistent absence is an audit risk).
• Average number of actions assigned per review — a healthy system generates 8-15 actions per quarterly review; near-zero suggests theatre.
• Previous-meeting action closure rate at review time — target ≥80%; chronic <50% indicates accountability failure.
• Average action age — target ≤90 days; ageing actions undermine the loop.
• Time from meeting to approved minutes — target ≤10 working days; longer than 30 days is itself an audit observation.
• Inspector / auditor comments on management review subsystem — target zero observations; non-zero requires CAPA on the management-review process itself.

Management review in V5 is not a separate module bolted on for compliance — it is a live assembly view on the QMS data already in the system, with the meeting workflow on top. The capabilities, end to end:

• Pre-built KPI pack covering all ISO 13485 §5.6.2 inputs, regenerated live for any chosen review date — no spreadsheet roll-up, no end-of-quarter scramble.
• Required-input coverage checklist enforced in the pack template — every §5.6.2 input has its section, with a single-line 'no material change' note available when the input does not need extended discussion.
• Previous-meeting actions auto-loaded as the second pack section, with current status pulled live from the QMS task tracker — chair sees on screen what is closed, what is open, what slipped, with the owners named.
• In-meeting decision capture — actions assigned during the meeting are entered live into the QMS, with owner, target date and parent-review reference, so they appear automatically at the next review.
• Minutes are a controlled document with version, two-person e-signature (chair + minute-taker), audit-trail on every edit, locked after approval, retained per SOP-defined retention.
• Attendance log captured and reportable — top-management attendance rate tracked over time as a system health metric.
• Quantitative inputs pre-annotated — when CAPA effectiveness pass rate, complaint volume, or audit-finding repeat rate breaches its threshold, the pack flags the breach so the chair cannot fail to discuss it.
• Action-tracker dashboard between meetings — all open management-review actions visible to the executive team with ageing, owner, status; not a separate spreadsheet.
• Regulator-inspection mode — when an inspector requests management-review evidence, one click produces a packet: last N reviews' minutes, pre-read packs, action-closure status, attendance log, signed.
• Audit-trail and ALCOA+ controls on every artefact — Part 11 / Annex 11 by construction, not by add-on.