In the arena of ISO 13485, as long as you’re treating every nonconformance like a CAPA, you’re wasting time. When companies ignore the difference entirely, they’re risking their certifications.
It’s one of the most common misinterpretations of the standard within medical devices: the belief that CAPA and nonconformance (NC for short) are two different sides of the same coin. One works to find a problem. The other works to fix it.
Sound simple?
Don’t be too sure.
In ISO 13485, this line between these two ideas isn’t just a best practice; it’s enforced. When your products are used on potentially vulnerable people, the bar isn’t performance. It’s safety. This is why the standard treats CAPA and NC as fundamentally different tools: each has its own purpose in maximizing the safety of the people it serves.
Together, let’s walk through why and where that line exists, how the tools function, and the consequences of treating them as a package deal.
Spotting the Difference: What a Nonconformance Is
In simple terms, a nonconformance is a failure to meet a requirement of the greater standard. From a defective part to a missing record, an NC is the label for anything found awry in anyone stage of manufacturing.
The process after an NC is found can vary. Sometimes it’s a big deal. Sometimes it’s not. What matters most is that you noticed it.
Under ISO 13485 Clause 8.3.2, companies are expected to identify and control products that have NC. This means:
- Quarantining or labeling it clearly
- Stopping it from reaching the next step
- Evaluating the impact(s)
- Deciding if a specific piece or process gets scrapped, reworked, or accepted with justification
- Comprehensively recording what had happened and what you did as a response
These policies ensure detection and containment. It’s a carefully constructed triage. This is the standard telling you: “You’ve caught the issue. Great! Now you have to keep it from causing more damage.”
In general manufacturing standards found in ISO 9001, this is where most responses stop.
This is where ISO 13485 starts to go further. Whenever the tiniest chance that the issue could affect patient safety exists, regulators expect to see that it’s been reviewed for possible escalation.
Keep in mind: this isn’t the same thing as solving it.
Digging Deeper: When CAPA Is Needed
Corrective Action and Preventive Action (CAPA) is a structured response to a problem with reach. The main goal of this response is to employ root-cause-driven reasoning.
This is what you launch when you need to solve a deeper problem.
As stated in ISO 13485 Clause 8.5.2 (Corrective Action) and 8.5.3 (Preventive Action), each CAPA process needs to:
- Investigate root cause
- Evaluate systemic risk
- Identify required actions
- Implement and document those actions
- Verify effectiveness
This is not about containment, it’s about control.
CAPA is designed to prevent a problem from happening again in the same system. In the case of preventive action, keep the problem from occurring before it comes up.
This is the essence of what sets ISO 13485 apart from the rest of manufacturing. It is the expectation that CAPA isn’t just used to solve problems, it’s also for learning from them. ISO 13485 ties CAPA to other things such as complaint trends, post-market feedback, and risk management. The feedback loop is never optional. It’s how companies prove their system are capable of preventing harm.
Whenever you open a CAPA process every time someone drops a screw or skips a line on a form, you’re doing too much. When you never open CAPAs, even when the same complaint shows up repeatedly in a short period, you’re not doing enough.
Why the Standard Draws the Line
When the standard divides CAPA and NC, it’s not doing so to make employees’ lives fraught with paperwork. It’s a measure to maintain the integrity and culture of quality systems.
Here’s another way to think about it:
The nonconformance shows you what’s wrong.
A CAPA shows you why it went wrong. Additionally, it shows you what you’ll do so it doesn’t happen again.
The confusing rule-of-thumb to remember is that not all nonconformances require CAPAs, and not all CAPAs begin with a nonconformance. (Sometimes they’re coming from complaints, audits, trends, or just good old-fashioned risk analysis.)
In ISO 13485, that difference matters. When companies treat every nonconformance like a full-blown CAPA, their teams burn out. When you skip the CAPA when the risk is real, your registrar (and possibly a regulator) will see that as a sign your system can’t protect patients. These problems erode the culture of CAPA from its intended mission and the bottom line of the standard itself. Protecting patients.
In keeping these tools distinct, ISO 13485 keeps companies from overcorrecting and underreacting whenever there’s a problem in their system.
Common Pitfalls That Undermine Both
Three reported patterns show up in 3rd-party medical device audits over and over again. If you receive nothing else from this, evaluate your system on these three situations:
1. Every NC triggers a CAPA. This creates fatigue. It creates that erosion mentioned above. When your team stops taking CAPAs seriously because they know it’s just paperwork, you’re not investigating root cause, you’re just closing forms.
2. Nothing gets escalated to CAPA. Some companies have a graveyard of nonconformances, but no effort to spot trends or solve problems at their roots. This is a red flag noticed and acted on immediately by registrars.
3. The line between NC and CAPA is undefined. The procedures are too vague. The staff isn’t trained (or diligent) enough to designate the difference. So their practices become guessing, stalling, or staying silent. Behavior like that doesn’t maintain a system. It gambles.
And in ISO 13485 environments, that gamble can ruin- or end lives.
Understanding When One Problem Is More Than an Isolated Issue
Whenever a problem repeats itself, it could be pointing to a deeper issue within your system, such as training, process, or a general oversight. Does the rabbit hole extend past one facet of manufacturing? That’s when you assemble a team to take a closer look. Could it impact product safety? Is it likely to happen again? Would an auditor or regulator expect you to dig deeper?
When the answer to any of those questions is “probably,” you’re already in CAPA territory.
Separating nonconformance and CAPA isn’t about bureaucracy. It’s about precision.
Let us help you sharpen that line and celebrate the impact that comes with it.
How We Can Help
If you’re not sure whether your CAPA and NC programs are doing what they should, you shouldn’t have to guess. That’s what the right training is for.
APEX QA offers both risk management and lead auditor training for anyone looking to better understand ISO 13485. Both of these courses are offered in a live-online format, catering to any location or chaotic schedule. With the distinction of an Exemplar Global certificate, not only are you investing in yourself, you’re also taking steps to protect your company and the patients your products serve.
Final Thoughts
CAPA and nonconformance aren’t twins. They’re teammates. One flags the problem. The other makes sure it never shows up again.
When a system can’t reflect that split both on paper and in practice, you’re setting yourself up for poor audit results, frustrated professionals, and issues that’ll end up repeating themselves.
In ISO 13485, that split isn’t just encouraged. It’s expected. And when done right, it’s what makes your system not just functional, but safe.
