Skip to content

CAPA & Non-Conformance

Driven by events, not assumptions

Every issue starts as a signal. qmsWrapper captures it, decides what it becomes, and enforces what happens next.

CAPA and Non-Conformance are not standalone tools here. They are part of an event-driven quality system that captures issues early, escalates them only when it makes sense, and (once a CAPA is opened) enforces every step: who investigates, who signs off, and when it is allowed to close.

Not every issue is a CAPA. But every issue must be controlled.

One entry point. No blind spots.

Quality issues do not begin as CAPAs or non-conformities.
They begin as signals noticed during real work: a change, a deviation, a nonconformity, a piece of feedback.

qmsWrapper captures every one of them the same way: as a Quality Event. Logged once, in one place, structured from the start, the moment it is noticed. Nothing informal, nothing stranded on a spreadsheet.

From that point the issue is visible, traceable, and assessable.

How an issue reaches a CAPA in qmsWrapper Four signals, change, deviation, nonconformity, feedback, feed into a single Quality Event, which is triaged by risk into three outcomes: correct and close, a non-conformance record, or a CAPA. A non-conformance can itself escalate to a CAPA. Change Deviation Nonconformity Feedback Quality event Single entry point Triage Risk-based assessment Correct & close Minor or deviation Non-conformance First-class record CAPA Only when justified Entry point Tracked object Intake / routine
Event capture form for CAPA and Non-Conformance, Deviation and Feedback in an event-driven QMS system

Classification before escalation

Once an event is logged, the system supports structured classification, because not everything should become a CAPA.

Some events are corrected and closed. Some are recorded as a Non-Conformance: a core QMS object in its own right, with its own module, not a step on the way to something else. And some justify a CAPA.

Non-Conformance sits beside CAPA, not inside it. A CAPA is a decision you make on top of an event, including on top of a non-conformance, and only when the risk warrants it.

Risk decides, not habit

Escalation continues only when analysis shows a systemic, recurring, or high-risk issue.

qmsWrapper supports risk-based triage so that:

Minor stays minor

Minor issues do not inflate CAPA logs.

Serious gets attention

Serious problems get the attention they deserve.

Proportional

Decisions are proportional and defensible.

For QMS managers, that means fewer CAPAs, and stronger ones.

CAPA and Non-Conformance workflow showing event triage and risk-based evaluation in a medical device QMS

Two Depths of CAPA

A CAPA reaches qmsWrapper two ways. It can come out of the triage above, a quality event serious enough to act on. Or you can log one directly, the moment you know you need it, without a quality event at all. Either way, it runs at one of two depths.

Level 1 · CAPA Log

Form-driven, and light by design. Any form you designate as a CAPA-type form lands in the Log: visible, searchable, and linked from the moment it is created. Build your own CAPA form, or start from the general one we provide. No stages, no enforcement. The Log tracks forms; it needs no quality event to start.

Level 2 · CAPA Lifecycle

Event-driven, and fully enforced. When an issue needs the complete corrective-action process, it enters the Lifecycle: eight ordered stages the system will not let you shortcut. One CAPA form underlies the whole process, surfaced as five typed variants (supplier, feedback, deviation, non-conformance, general) so each opens with the right context.

The two depths of CAPA in qmsWrapper Level 1, the CAPA Log, starts from a CAPA-type form, your own or the general one, and is logged and linked with no enforcement. Level 2, the CAPA Lifecycle, starts from a quality event and runs the enforced process, where one CAPA form is surfaced as five typed variants: supplier, feedback, deviation, non-conformance, and general. A logged CAPA can be escalated from Level 1 into Level 2, with its history preserved. CAPA-type form Quality event CAPA log Level 1 · form-driven CAPA lifecycle Level 2 · enforced Your form or ours Logged & linked One form, five typed variants Supplier Feedback Deviation NC General Escalate into the Lifecycle when systemic, recurring, or high-risk The full history follows it, nothing is re-keyed.

A CAPA can start in the Log today and move into the enforced Lifecycle the moment it needs to, with its full history intact.

An 8-Stage Lifecycle, Not a Label

Once a CAPA enters the enforced lifecycle, it moves through eight ordered stages, and the system does not allow shortcuts:

1

Open

2

Triage

3

Investigation

4

Root Cause Identified

5

Action Plan Approved

6

Implementation

7

Effectiveness

8

Closed

Each transition is checked against what has actually been completed. A CAPA cannot jump from Investigation to Closed, and cannot be advanced by editing a status field. Every stage change is written to an audit trail with who made it, when, and why (a reopened CAPA requires a documented reason).

Built-in Controls

Independent QA Sign-off

Two points in the lifecycle require sign-off from a QMS manager who is not the CAPA’s own author: after root cause analysis, and again before closure.

The approver pool excludes the CAPA’s own author automatically. Segregation of duties (ISO 13485 §8.5.2) is enforced by the system, not manual discipline.

Nothing Closes Early

A CAPA flagged for regulatory reporting cannot reach Effectiveness until a linked vigilance task exists. The system blocks it rather than relying on memory.

Closure works the same way: an open linked Change Request or vigilance task holds the CAPA open until it is resolved.

Clear oversight, audit-ready by design

Non-Conformances and CAPAs each have their own dedicated modules, with clean logs designed for everyday QMS management.

CAPA record linked to source event showing traceability in a medical device QMS

A stage-aware AI assistant sits inside the CAPA record itself. It reads the CAPA’s event description and current stage, then offers:

  • a classification and root cause method to consider
  • draft action plan and effectiveness language
  • new suggestions every time the CAPA advances to its next stage

The assistant drafts. It does not decide. Nothing is saved to the record until you advance the stage, so an abandoned suggestion never reaches the audit trail.

Auditors see not just what happened, but why each decision was made, and by whom.

What the Dashboard Shows

One view gives QMS managers five things at a glance:

By stage

How many CAPAs sit in each stage.

Overdue

Which ones have been open more than 90 days.

Reopen rate

What percentage of closed CAPAs get reopened.

Effectiveness

How many checks pass, fail, or are still pending.

Time in stage

Average time spent in each stage.

It is the same data an auditor asks for. It is already assembled.

We will show you how events, non-conformances, and CAPAs work together in one coherent system.


How it maps to the regulations

A CAPA can originate from a non-conformance, a customer complaint, an internal audit finding, post-market surveillance, or a management review. Each carries the same enforced Lifecycle once opened.

CAPA is one of the most inspected areas of any medical device QMS. qmsWrapper’s CAPA and non-conformance workflow maps to:

  • ISO 13485:2016 §8.5.2 (corrective action) and §8.5.3 (preventive action).
  • FDA 21 CFR 820.100, including all eight CAPA sub-elements.
  • MDR Article 83 (post-market surveillance plan) and Annex III §1.1(c) (post-market corrective actions).
  • ISO 13485 §8.2.4 (monitoring and measurement) and MDSAP Chapter 4.
  • EU AI Act Article 9 when a CAPA is triggered by AI model drift.