ISO 14971: risk management for medical device manufacturers

Last week, the MedTech regulatory community gathered in Lisbon for RAPS Euro Convergence 2026: nearly 100 sessions, hundreds of professionals, and one overriding theme: transformation.The European regulatory landscape is shifting faster than it has in two decades, and the pressure is on every RA team to keep pace.

We were there. And here is what we took away.

The Dominant Signal: Change Is Accelerating

For MedTech manufacturers, the immediate reality is demanding. MDR 2.0 is advancing. The EU AI Act is creating new compliance obligations for software-enabled devices. EUDAMED continues to mature. And teams are being asked to absorb all of this while still meeting existing registration and renewal deadlines.

The practical implication is clear: RA functions that rely on manual tracking, disconnected spreadsheets, and tribal knowledge are being outrun by the pace of change. Across the industry, teams are moving from talking about AI to actively experimenting with it, using it to handle the volume and complexity that manual processes simply cannot absorb. The teams emerging as strategic forces are the ones who have connected, real-time regulatory infrastructure and are putting AI to work within it.

AI Is No Longer Optional Thinking

The conversation at Euro Convergence made one thing clear: AI has moved from future-state to present-tense. Regulatory professionals were encouraged to embrace AI while maintainingaccountability for the outcome and challenging the algorithms.
‍

" Our role is to make sure that the AI does the right interpretations appropriate to our products, to our business."

— João Martins, Director of Regulatory Affairs at Abbott at RAPS Euro Convergence 2026 Opening Plenary
‍

That framing resonates deeply with how we have built AI into Rimsys. The goal was never to replace regulatory judgment; it is to amplify it. Rimsys AI is domain-specific, built on the regulatory data structures and logic that reflect real-world requirements, country-specific nuances, and product context. It proposes, analyzes, and alerts. Your team reviews, approves, and decides.

For teams that are ready to accelerate, Rimsys AI accelerates regulatory intelligence monitoring and submission authoring, removing the repetitive, detail-heavy work so skilled professionals can focus on strategy, market expansion, and the higher-order decisions that increasingly complex regulations demand.
‍

"As future regulators, we will need to be scientifically strong, comfortable with complexity, open to innovation, and also be able to work in increasingly complex environments."

— Rui Santos Ivo, President of Portugal's National Authority of Medicines and Health Products (INFARMED) and chair of the EMA management board, RAPS Euro Convergence 2026 Opening Plenary
‍

MDR 2.0: Reform With Guardrails

A panel of experts representing regulators, industry, and notified bodies gave their views on the proposed revision of the EU Medical Device Regulation at the conference. While their sentiments were largely supportive, notified body representatives urged the European Commission to maintain proactive surveillance of devices to protect patients.

The discussion acknowledged the complexity of balancing reform with patient safety. Simplification and innovation go hand in hand, though if it is overly complicated or overly simplified, it becomes difficult to innovate. Structured dialogues in MDR/IVDR will provide transparency and predictability for manufacturers, especially in early product development.

Regulatory Workflows Cannot Be an Afterthought

A recurring observation across sessions was that MDR 2.0, EUDAMED, and the EU AI Act are only as effective as the operational workflows behind them. Structured dialogues, risk-proportionate pathways, and submissions all require teams to move quickly with accurate, up-to-date product data. That is simply not possible when that data lives across email threads, spreadsheets, and disconnected systems.

The workflows that came up most in Lisbon (change control, renewals, new product introductions, and registration management) are exactly the areas where manual processes create the most risk. A missed renewal. A design change that triggers 40 country-level impact assessments with no system to coordinate them. A registration record that no one has updated since the last audit.

Rimsys keeps these workflows connected and proactive. Renewal expiration reminders fire before deadlines become a risk. Change control impact surveys are configurable to your SOPs, so teams can assign tasks and coordinate work across regions without relying on someone to manually track progress. New product introductions move faster because previous submission content can be reused across markets. Target market data, registration history, and approval status are already centralized, so teams are building on existing work rather than starting from scratcheach time.

The result is regulatory operations that reduce time to market by weeks to months, not add to it. Access information in seconds rather than hours. Regulatory release authorization in minutes rather than weeks. More than 90% reduction in regional regulatory reporting time. These are not projections. They are outcomes reported by Rimsys customers operating in exactly the kind of complex, multi-market environments that dominated the conversation in Lisbon.

The Regulatory Professional Is Evolving

Perhaps the most striking thread across sessions was the evolution of the RA function itself. Regulatory work was once seen mainly in terms of compliance procedures and submissions. Today, the profession is much broader than that.

This evolution is exactly the transition Rimsys is designed to support. When regulatory data is centralized, connected, and visible in real time, RA teams stop spending their days chasing down registration status and start contributing to commercial strategy: market expansion decisions, launch sequencing, change control planning, and executive-level risk communication.

The heart of regulatory operations is not a filing cabinet. It is a living, connected system that elevates the entire function.

What It All Points To

RAPS Euro Convergence 2026 made one thing clear: the organizations that will thrive are those who have invested in regulatory infrastructure that can absorb change without breaking. Rimsys is the platform built for exactly this moment: enterprise-grade, intuitive enough for global teams to actually use, and trusted by 6 of the top 12 global MedTech manufacturers worldwide.

Book a conversation with our team

‍Spring 2026 embeds submission authoring, AI-powered regulatory monitoring, and configurable impact workflows inside a single RIM platform, the first step toward Rimsys' AI vision for global regulatory operations.

PITTSBURGH, PA, May 5, 2026 – Regulatory Information Management (RIM) software was built to store records. That foundation has served its purpose and reached its limit. Today, Rimsys announces the Spring 2026 release: a platform designed not to hold regulatory data, but to execute on it.

Submission volumes are growing. Markets are multiplying. Regulatory change is accelerating. Spring 2026 gives regulatory teams the tools to keep pace: embedded authoring, reusable submission content, configurable impact workflows, and AI-powered intelligence, all inside a single platform.

"Our vision for Rimsys is a platform that makes regulatory expertise go further, companies move faster, and products reach more markets than any team could accomplish alone. Spring 2026 is another meaningful step toward that vision. We are embedding the tools and intelligence that allow regulatory affairs professionals to operate at a different level, doing more strategic work, entering markets faster, and staying ahead of regulatory change rather than reacting to it. What we are building next makes this release the starting line." – James Gianoutsos, CEO

What Spring 2026 Delivers

A brand new website that provides in-depth information about the Rimsys offering and the benefits to MedTech manufacturers, including details on these new products:

Intelligence: AI-Powered Regulatory Monitoring

Rimsys Intelligence provides access to regulations, guidance documents, safety alerts, and legislation across more than 90 countries. AI triage and prioritization surface the updates most relevant to each customer's specific products and markets, eliminating hours of manual surveillance and putting the right information in front of the right people.

When a change requires action, teams can move directly from regulatory signal to impact assessment without a manual handoff. Intelligence represents Rimsys' first production deployment of context-aware AI operating across a customer's live regulatory data, a foundation that will expand significantly in future releases.

Advanced Submissions: A Unified Submission Execution Workflow

Advanced Submissions consolidates everything required to create, manage, and publish a regulatory submission into a single workflow inside Rimsys, eliminating the disconnected tools, manual reformatting, and version fragmentation that have defined submission work for too long. Three capabilities anchor it:

Rimsys Editor

The Rimsys Editor is the cornerstone of Advanced Submissions and the most significant capability in this release. It brings word-compatible authoring and editing natively inside Rimsys, fully compatible with Microsoft Word^®, allowing regulatory teams to create, co-author, review, and publish submission content without leaving the platform for the first time.

The Editor supports real-time co-authoring, tracked changes and redlining, rich content including tables and images, document comparison, and PDF publishing with standardized headers, footers, and company branding applied automatically. AI-assisted authoring is available as a configurable option, enabling teams to summarize, refine, expand, and translate content within their workflow. Rimsys AI is human-in-the-loop by design.

Universal Submissions

Universal Submissions enables teams to build from a single universal template (an IMDRF Technical Document) with content automatically mapped into market-specific templates. One master structure, many markets, without rebuilding from scratch.

Reusable Submissions

Reusable Submissions takes a completed submission from one market and uses it as the starting point for a new one. The system automatically maps content into the target market's template, carrying applicable sections forward reducing the content creation time up to 90% and compressing the time required to enter each additional market.

Configurable Impact Surveys: Governed Change Assessment at Scale

Impact Surveys are now fully configurable. Templates can be defined for specific change event types, tied to countries or registrations, and triggered automatically from Rimsys Intelligence findings replacing ad hoc assessments with repeatable, governed workflows. This integration creates a direct line from change event to regulatory scope, with results tracked in a single audit-ready trail.

A Platform Built for What's Next

Spring 2026 establishes more than a set of new capabilities. It establishes the execution infrastructure, structured data model, and embedded AI foundation on which Rimsys' longer-term vision is being built.

That vision: a world where regulatory experts are amplified by intelligence, not constrained by information. Where the knowledge required to enter a new market, interpret a regulatory change, or scope a submission is instantly available to every member of the team. Where regulatory operations scale not by spreading experts thin, but by giving them tools that multiply their impact.

Spring is the first production step in that direction. Every submission authored inside the platform, every intelligence signal triaged by AI, and every impact assessment connected to structured regulatory data deepens the foundation. Future releases will build on it directly, expanding AI capabilities, automating more of the regulatory workflow, and ultimately enabling teams to do work that today requires external expertise to be done inside Rimsys.

Regulatory Execution as a Business Lever

Spring 2026 is built to move metrics that matter: reduced submission cycle time variance, improved approval predictability, lower marginal effort per market, and increased team capacity without proportional headcount growth. For executive leadership, earlier approvals translate directly into faster market access and accelerated revenue recognition.

Availability

Spring 2026 is now Generally Available. Existing customers on the Organizer product will retain access to their current experience.

To learn more about the Spring 2026 release and how Rimsys can accelerate your regulatory operations, visit rimsys.io or contact your Rimsys representative.

About Rimsys

Rimsys is the heart of regulatory operations for the medical device industry and the platform at the center of an AI-driven transformation in how regulated products reach global markets. A living, connected regulatory platform, Rimsys keeps regulatory intelligence, product data, approvals, and change management continuously connected, enabling organizations to expand into global markets with speed, precision, and confidence. Enterprise-ready yet intuitive to use, Rimsys is trusted by 6 of the top 12 global MedTech manufacturers to accelerate time to market and scale regulatory operations worldwide. To learn more, visit rimsys.io.

Media Contact

letschat@rimsys.io

rimsys.io

‍

Defining nonconformance

Very simply, a nonconformance occurs when a specification is not met. The FDA defines a specification in 21 CFR 820.3 as “any requirement with which a product, process, service, or other activity must conform,” and ISO 13485:2016 as a “need or expectation that is stated, generally implied, or obligatory.”

While managing nonconformance starts with fully defining specifications; it is the identification, tracking, and resolution of nonconformance that is a focus of medtech quality and regulatory teams and a requirement of both ISO 13485:2016 and the FDA’s 21 CFR Part 820 quality system regulation.  

Identifying nonconformance occurrences

As part of a compliant quality system, medical device manufacturers should implement procedures to identify and address both major and minor non-conformances. Nonconformances may be identified through processes found in multiple subsystems that are part of an overall quality management system within the organization.

The systems and subsystems in which nonconformances are identified typically include:

• ERP
• Regulatory information management (RIM)
• Product lifecycle management (PLM)
• Document management
• Customer service / customer management  
• Complaint handling
• Device history records
• Audit management
• CAPA
• Training/learning management  
• Calibration/preventative maintenance
• Development change management

Evaluating nonconformance

Once a nonconformance is identified, it should be evaluated in a timely manner, and a determination made as to the disposition of any affected products. Requirements for additional investigation and reporting should also be identified. Based on the severity of the nonconformance and its effect on the safety and efficacy of devices being manufactured or already in the market, a CAPA (corrective/preventative action) record may need to be created. In the U.S., this is defined in the quality regulation 21 CFR Part 820.100.

To disposition a nonconformance, consider the following:

• Will the existing system detect the nonconformance if it recurs in time for remediation?
• How likely is it that this issue will recur?
• What is the impact of the non-conformance (i.e., could it affect patient health)?

Issues that are more severe or are more likely to recur should trigger a more immediate and comprehensive response.

Nonconformances that are escalated and handled under CAPA are based on risk and can include those that have or could have an impact on a product or process that is:

• Not easily corrected
• Recurring
• Severe

In addition, nonconformances that rise to the level of a CAPA require significant resources and typically result in a full project to identify root cause(s), containment, and corrective actions, and monitoring for effectiveness.  

Nonconformances that don’t require a CAPA have simpler resolutions that include documenting actions taken to correct the issue (or justification for no action). If the issue is not recurring, there may be no other action required. For example, a nonconforming material received from a vendor may be a singular issue that was easily identified through existing inspection procedures and is not expected to recur. In this case, the material is returned to the vendor and no additional action is required.

Processes that are out of conformance are often resolved through improved documentation and/or additional user training. However, be sure that the true root cause of the nonconformance is identified as procedural nonconformances can signal additional issues.

Documenting nonconformances

An important part of nonconformance procedures is the nonconformance report (NCR) or other documentation procedures.  Nonconformances are typically documented within the subsystem in which they were identified. Some organizations will have a nonconforming system in which issues originating from all subsystems are documented. Centralized nonconformance systems allow for trending and other analysis across all subsystems, the results of which may generate CAPAs.  

The requirements for documenting a nonconformance may vary by subsystem. In general, however, nonconformance documentation records:

• The requirement/specification that was not met.
• The objective evidence supporting the determination.
• The action that is being taken to address the nonconformity.

Nonconformances are a common point of focus during quality audits by regulatory bodies, including the FDA, and should follow a well-documented process. Auditors will often try to determine if the quality system is functioning effectively by looking at self-identified nonconformances and comparing them to externally reported nonconformances. This is to ensure that nonconforming products were not released, or that the appropriate actions were taken to resolve issues in the field.

The importance of nonconformance reports

Nonconformances related to distributed products of higher risk result in nonconformance reports issued to government authorities through vigilance reporting, medical device reporting, and field action/recall reports. For example, the FDA requires that a medical device report be submitted within 30 days of a serious adverse event (see 21 CFR Part 803 Subpart E). Strong reporting procedures for nonconformances of all types are important in identifying trends, addressing issues before they become critical, and as part of a complete quality management system.

A nonconformance reporting procedure is only part of a strong quality system. Read An overview of 21 CFR part 820 and ISO 13485 overview for more information on establishing quality systems for medtech companies.

‍