Teammates

CAPA vs. Nonconformance in ISO 13485: Teammates, Not Twins

Posted by on in | 38 Views | Leave a response

By Thomas Schleusner

In the arena of ISO 13485, as long as you’re treating every nonconformance like it requires a corrective and preventive action (CAPA), you’re wasting time. When companies ignore the difference entirely, they’re risking their certifications.

It’s one of the most common misinterpretations of the standard within medical devices: the belief that CAPA and nonconformance (NC) are two different sides of the same coin. One works to find a problem. The other works to fix it.

Sound simple?

Don’t be too sure.

In ISO 13485, this line between these two ideas isn’t just a best practice; it’s enforced. When your products are used on potentially vulnerable people, the bar isn’t performance. It’s safety. This is why the standard treats CAPA and NC as fundamentally different tools: Each has its own purpose in maximizing the safety of the people it serves.

Together, let’s walk through why and where that line exists, how the tools function, and the consequences of treating them as a package deal.

Spotting the difference: What a nonconformance is

In simple terms, a nonconformance is a failure to meet a requirement of the greater standard. From a defective part to a missing record, an NC is the label for anything found awry in any one stage of manufacturing.

The process after an NC is found can vary. Sometimes it’s a big deal. Sometimes it’s not. What matters most is that you noticed it.

Under clause 8.3.2 of ISO 13485, companies are expected to identify and control products that have NC. This means:

  • Quarantining or labeling it clearly
  • Stopping it from reaching the next step
  • Evaluating the impact(s)
  • Deciding if a specific piece or process gets scrapped, reworked, or accepted with justification
  • Comprehensively recording what had happened and what you did as a response

These policies ensure detection and containment. It’s a carefully constructed triage. This is the standard telling you: “You’ve caught the issue. Great! Now you have to keep it from causing more damage.”

In general manufacturing standards found in ISO 9001, this is where most responses stop.

This is where ISO 13485 starts to go further. Whenever the tiniest chance that the issue could affect patient safety exists, regulators expect to see that it’s been reviewed for possible escalation.

Keep in mind: This isn’t the same thing as solving it.

Digging deeper: When CAPA is needed

CAPA is a structured response to a problem with reach. The main goal of this response is to employ root-cause-driven reasoning.

This is what you launch when you need to solve a deeper problem.

As stated in clause 8.5.2 (“Corrective Action”) and clause 8.5.3 (“Preventive Action”) of ISO 13485, each CAPA process needs to:

  • Investigate root cause
  • Evaluate systemic risk
  • Identify required actions
  • Implement and document those actions
  • Verify effectiveness

This is not about containment, it’s about control.

CAPA is designed to prevent a problem from happening again in the same system. In the case of preventive action, the objective is to keep the problem from occurring before it comes up.

This is the essence of what sets ISO 13485 apart from the rest of manufacturing. It is the expectation that CAPA isn’t just used to solve problems, it’s also for learning from them. ISO 13485 ties CAPA to other things such as complaint trends, post-market feedback, and risk management. The feedback loop is never optional. It’s how companies prove their system are capable of preventing harm.

Whenever you open a CAPA process every time someone drops a screw or skips a line on a form, you’re doing too much. When you never open CAPAs, even when the same complaint shows up repeatedly in a short period, you’re not doing enough.

Why the standard draws the line

When the standard divides CAPA and NC, it’s not doing so to make employees’ lives fraught with paperwork. It’s a measure to maintain the integrity and culture of quality systems.

Here’s another way to think about it:

The nonconformance shows you what’s wrong.

A CAPA shows you why it went wrong. Additionally, it shows you what you’ll do so it doesn’t happen again.

The confusing rule-of-thumb to remember is that not all nonconformances require CAPAs, and not all CAPAs begin with a nonconformance. (Sometimes they’re coming from complaints, audits, trends, or just good old-fashioned risk analysis.)

In ISO 13485, that difference matters. When companies treat every nonconformance like a full-blown CAPA, their teams burn out. When you skip the CAPA when the risk is real, your registrar (and possibly a regulator) will see that as a sign your system can’t protect patients. These problems erode the culture of CAPA from its intended mission and the bottom line of the standard itself, which is protecting patients.

In keeping these tools distinct, ISO 13485 keeps companies from overcorrecting and underreacting whenever there’s a problem in their system.

Common pitfalls that undermine both

Three reported patterns show up in third-party medical device audits over and over again. If you receive nothing else from this, evaluate your system on these three situations:

  1. Every NC triggers a CAPA. This creates fatigue. It creates that erosion mentioned above. When your team stops taking CAPAs seriously because they know it’s just paperwork, you’re not investigating root cause, you’re just closing forms.
  2. Nothing gets escalated to CAPA. Some companies have a graveyard of nonconformances, but no effort to spot trends or solve problems at their roots. This is a red flag noticed and acted on immediately by registrars.
  3. The line between NC and CAPA is undefined. The procedures are too vague. The staff isn’t trained (or diligent) enough to designate the difference. So their practices become guessing, stalling, or staying silent. Behavior like that doesn’t maintain a system. It gambles.

And in ISO 13485 environments, that gamble can ruin—or end—lives.

Understanding when one problem is more than an isolated issue

Whenever a problem repeats itself, it could be pointing to a deeper issue within your system, such as training, process, or a general oversight. Does the rabbit hole extend past one facet of manufacturing? That’s when you assemble a team to take a closer look. Could it impact product safety? Is it likely to happen again? Would an auditor or regulator expect you to dig deeper?

When the answer to any of those questions is “probably,” you’re already in CAPA territory.

Separating nonconformance and CAPA isn’t about bureaucracy. It’s about precision.

Let us help you sharpen that line and celebrate the impact that comes with it.

Final thoughts

CAPA and nonconformance aren’t twins. They’re teammates. One flags the problem. The other makes sure it never shows up again.

When a system can’t reflect that split both on paper and in practice, you’re setting yourself up for poor audit results, frustrated professionals, and issues that’ll end up repeating themselves.

In ISO 13485, that split isn’t just encouraged. It’s expected. And when done right, it’s what makes your system not just functional, but safe.

About the author

With a background in writing and journalism, Thomas Schleusner brings a sharp editorial lens and a deep respect for clarity to the world of quality management. At APEX Quality Assurance, he drives the mission of making quality simple, breaking down dense compliance requirements into clear, accessible insights. In the APEX library, work spans timely industry news, AS9100 guidance, and ISO 13485 resources, giving quality professionals the knowledge they need to stay confident and compliant.

This article first appeared on The APEX Quality Assurance blog and is published here with permission.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.