Nonconformance vs Deviation

Deviation is a departure from an approved procedure, instruction or specification during execution. Nonconformance is the non-fulfilment of a requirement by a product, material or output. A deviation is something a person or process does. A nonconformance is something a thing is. Either can exist without the other — you can deviate from an SOP and still produce conforming product; you can follow every SOP and still produce nonconforming product.

Pharmaceutical GMP regulations strongly prefer the term 'deviation'. 21 CFR 211.100(b) requires that 'any deviation from the written procedures shall be recorded and justified'. EU GMP Chapter 1 and Annex 15 use 'deviation' throughout as the primary term for a departure from approved procedures or specifications.

When a deviation results in a product that fails specification, the GMP regulations bring in 21 CFR 211.192 — 'any unexplained discrepancy ... or the failure of a batch or any of its components to meet any of its specifications shall be thoroughly investigated'. That language captures the idea of a nonconforming product without using the ISO term.

OOS (out-of-specification) is a related but narrower term — it refers specifically to a laboratory test result that fails specification. An OOS is a type of nonconformance; not every nonconformance is an OOS.

ISO uses 'nonconformity' (the singular) and 'nonconformance' (often used colloquially in North America) for non-fulfilment of a requirement (ISO 9000:2015 §3.6.9). ISO 13485:2016 §8.3 — 'Control of nonconforming product' — is the dedicated clause for product that fails to meet requirements. ISO does not have a 'deviation' clause analogous to 21 CFR 211.100(b); the closest concept is 'concession' (§3.12.5 in ISO 9000) — permission to use or release product that does not conform to specified requirements.

Under ISO 13485, the act of departing from an approved procedure is typically captured under §8.5.2 (corrective action) rather than as its own first-class object. This is one of the practical differences a manufacturer transitioning from QSR to QMSR encounters — the QSR culture was deviation-first, and an ISO 13485 culture is nonconformance-first.

Legacy QSR (Part 820) used 'nonconformity' (§820.90) for product and 'corrective and preventive action' (§820.100) for procedural and systemic issues. There was no explicit 'deviation' clause in the QSR. QMSR (effective 2 February 2026) inherits ISO 13485:2016 vocabulary by reference — 'nonconformity' for product (§8.3), 'corrective action' (§8.5.2), 'preventive action' (§8.5.3).

QSR-trained manufacturers will not find much vocabulary shock — the core concept is the same — but should refresh SOPs to reference the ISO clause numbers rather than the now-superseded QSR sections, and should make sure 'deviation' (where their pharma-trained staff use it) maps to a defined process under either §8.3 or §8.5.2 depending on whether the issue is a product or a system.

A QMS that operates across pharma and device, or across US and EU, benefits from a deliberate convention rather than letting different sites pick different vocabulary.

1. Use 'deviation' for any departure from an approved procedure, instruction or specification during execution. This is the 21 CFR 211.100(b) term and matches FDA inspector expectations in a pharma context.
2. Use 'nonconformance' (or 'nonconforming product') for any product, material, intermediate or output that fails to meet a specified requirement. This is the ISO 13485 §8.3 term and matches ISO auditor expectations.
3. When a deviation produces a nonconformance, the deviation record and the nonconformance record are linked — same root cause, but tracked as two artefacts because they have different lifecycles (the deviation closes with a procedural disposition; the nonconformance closes with product disposition: rework, regrade, scrap, accept-as-is concession).
4. When a deviation does not produce a nonconformance, only the deviation record exists and it closes with a 'no product impact' impact assessment per §211.192.
5. When a nonconformance is found without a clear procedural deviation (e.g., a finished-product assay OOS that root-causes to a method issue), only the nonconformance record exists initially; the investigation may then open a deviation record retroactively if a procedural cause is identified.

Both deviations and nonconformances feed into CAPA when the cause is systemic, recurrent, or has effectiveness implications beyond the immediate event. Neither is automatically a CAPA. The CAPA decision is a separate assessment after the initial deviation or nonconformance has been investigated — recurrence rate, severity, regulatory commitments and risk to product safety/quality all factor in.

The common anti-pattern is opening a CAPA for every deviation. Inspectors do not look favourably on a CAPA system that has 800 open items because the trivial-deviation route also generates a CAPA. CAPA should be reserved for issues where a permanent corrective or preventive action is genuinely warranted; routine deviations are closed under the deviation process with their immediate corrective actions recorded inside the deviation record.