Responding to a Notified Body audit non-conformity means running a full CAPA cycle: confirm you understand the finding, do a real root cause analysis, define a corrective action that fixes the cause (not the symptom), define a preventive action that stops the same class of problem from recurring, gather evidence that the actions were implemented and worked, and submit the package inside the response window the NB assigned. The response wins or loses on root cause discipline and on evidence of closure. Not on promises, not on apologies, and not on volume.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • A non-conformity response is a CAPA, run with the discipline of EN ISO 13485:2016+A11:2021 clauses 8.5.2 (corrective action) and 8.5.3 (preventive action). Not a corrective action alone. The full cycle.
  • "Major" and "minor" are Notified Body conventions, not MDR terminology. The MDR itself does not label findings this way. Your NB's rules govern which severity triggers which response window.
  • Response windows are typically 30 to 90 days from receipt of the report, depending on severity and the specific NB. This is NB-specific, not specified by the MDR.
  • The most common reason a CAPA response fails is a surface-level fix that leaves the root cause intact. The second most common reason is promises without evidence.
  • Multiple findings with the same underlying cause should be consolidated into one root cause analysis with one corrective action, not fragmented into ten separate responses that all say the same thing.

Why this matters for your startup

The audit report lands, you scan the list of findings, and the first impulse is to start fixing things. That impulse is the mistake. A CAPA response that starts with the fix ends with the same finding recurring at the next audit. Usually worse, because now it is a repeat finding with the history to match.

There is a Berlin company Tibor walked into where the entire QMS had been built by buying a template pack and replacing the placeholder company name. That was it. When the auditor started sampling, almost every process surfaced as a nonconformity. The team's first instinct was to fix each finding individually. One CAPA per nonconformity, each promising to revise the affected SOP. That approach was mathematically doomed. The root cause was not "SOP X is wrong." The root cause was "we bought templates, replaced the name, and never matched them to our operations." Until that root cause was addressed, every fixed SOP would drift back out of alignment, and new findings would appear the moment the auditor sampled a different process.

The fix in that case was not forty separate CAPAs. It was one honest root cause analysis that acknowledged the QMS had to be rebuilt process by process, matched to the actual company operations. The same discipline described in the Operations Pass of the Subtract to Ship framework. One root cause. One coordinated corrective action. One preventive action to stop template-driven QMS construction from happening again. That is how a responsible CAPA response to a systemic finding looks.

The second pattern is the opposite of systemic. The structural finding that is trivially fixable but exposes a deeper discipline issue. There is a startup whose technical file the auditor described as a treasure hunt. The information was present. The structure was not. Sections were scattered. Cross-references did not work. The auditor had to hunt for basic content. Individually, each finding was easy to fix: move this section here, add this cross-reference there. But if the CAPA response had stopped at the structural fixes, the team would have kept producing new documents with the same discipline gap. The real corrective action was not restructuring the existing file. It was instituting a template and a review step for every new document added to the technical file so the drift would not recur.

Both stories point at the same lesson. The response is only as good as the root cause analysis behind it. Skip the root cause, and you are fixing symptoms while the disease stays in the building.

The legal frame matters too. Your conformity assessment runs under MDR Article 52 and the applicable annex. Annex IX for most startups. Certificates of conformity are governed by Article 56. Notified Body responsibilities sit in Annex VII. Your NB cannot issue or maintain a certificate while major findings remain open, which means the CAPA response is not just hygiene. It sits directly between you and market access.

Step 1. Read the finding until you understand it

Before you do anything else, read each finding carefully and make sure you understand exactly what the auditor saw, what standard or regulation they referenced, and what they consider the gap to be.

A non-conformity in a Notified Body report has three parts that matter. The statement of the finding. What was observed. The reference. The clause of EN ISO 13485:2016+A11:2021, the article of the MDR, or the annex that the observation relates to. And the severity classification. Typically "major" or "minor" in most NB conventions, though the exact labels vary by NB.

Read all three. If any of them is unclear, do not guess. Request a clarification meeting with the auditor within the first week of receiving the report. Auditors would rather clarify a finding than review a CAPA response that misses the point of the finding entirely. Asking for clarification is not weakness. Guessing wrong and submitting a useless response is weakness.

A practical test: before you move to root cause analysis, write the finding in your own words in one sentence and compare it against what the auditor wrote. If the two sentences say the same thing, proceed. If they do not, you do not understand the finding yet.

Step 2. Do a real root cause analysis

Root cause analysis is where most CAPA responses go wrong. The finding says "SOP X does not match observed practice." The lazy root cause says "SOP X was out of date." The real root cause is almost never the document. It is the process that allowed the document to drift out of sync with practice without anyone noticing.

Use a structured method. Five Whys is fine for simple findings. A fishbone diagram is fine for complex ones. The method matters less than the discipline of not stopping at the first plausible answer.

Five Whys for the drifted SOP example:

  1. Why does the SOP not match observed practice? Because the practice was updated after a process improvement meeting but the SOP was not.
  2. Why was the SOP not updated? Because the person who updated the practice did not know the SOP needed to change.
  3. Why did they not know? Because document control training is generic and does not identify which SOPs each role is responsible for maintaining.
  4. Why is training generic? Because the training matrix was built once and has not been revisited since the company grew from five to twelve people.
  5. Why has it not been revisited? Because there is no trigger in the QMS requiring a training matrix review when headcount or roles change.

The real root cause, at the fifth why, is the missing trigger. That is what the corrective action needs to fix. Updating the SOP is necessary but not sufficient. It only addresses the symptom.

When multiple findings share a root cause. The Berlin template pattern. Consolidate. One root cause analysis, one corrective action plan, one preventive action. Do not write ten CAPAs that all trace back to the same underlying issue. The NB will see through the fragmentation and read it as a sign that you did not actually analyse the problem.

Step 3. Define the corrective action

The corrective action is what you will do, specifically, to eliminate the root cause. It is not "we will improve document control." It is a concrete, dated, owned action that can be verified as complete.

A good corrective action has four components. What will be done. Who will do it. When it will be done by. How completion will be evidenced.

For the drifted SOP example, a corrective action might read: "By 15 May 2026, the Quality Manager will add a mandatory training matrix review to the management review process, triggered by any headcount change above 20 percent or any role definition change. Evidence: revised management review procedure, signed meeting minutes from the first review including the new trigger, updated training matrix."

Notice what the action does. It fixes the root cause. The missing trigger. Not the symptom. It names a specific person, date, and deliverable. It defines what evidence will prove the action was completed.

EN ISO 13485:2016+A11:2021 clause 8.5.2 requires corrective actions to be appropriate to the effects of the nonconformities encountered. Appropriate means proportionate. A minor documentation finding does not justify a six-month organizational redesign, and a systemic process failure does not justify a one-line SOP amendment. Match the weight of the action to the weight of the root cause.

Step 4. Define the preventive action

Preventive action is where most startups fall down because they confuse it with corrective action. Corrective action fixes the problem you already have. Preventive action stops the same class of problem from appearing somewhere else.

EN ISO 13485:2016+A11:2021 clause 8.5.3 requires preventive actions to be appropriate to the effects of the potential problems. The question to answer is: given what has been learned from this root cause, where else in the QMS could the same pattern exist, and what are you doing to check and protect those other areas?

For the drifted SOP example, the corrective action fixes the one drifted SOP and installs the trigger. The preventive action asks: how many other SOPs might have drifted out of alignment for the same reason, and what is your one-time sweep to detect and fix them before the next audit? A typical preventive action would be a time-boxed internal audit that samples every SOP against observed practice, with findings logged and closed before the CAPA response is submitted.

Preventive action is not "we will be more careful in the future." That is a promise, not an action. An auditor cannot verify that you will be more careful. They can verify that you ran an internal sweep and closed the findings from it. Write preventive actions that can be verified.

Step 5. Implement the actions and gather evidence

This is where the CAPA response is won or lost. Promises are worthless. Evidence is everything.

For every corrective and preventive action, the CAPA response package must include objective evidence that the action was actually implemented. Not a plan to implement it. Not a timeline showing when it will be implemented. Evidence that it is done.

Typical evidence for a CAPA response package includes: the revised SOP or procedure with a new version number and effective date, the signed training records showing affected personnel were trained on the change, the meeting minutes or management review output that triggered or approved the change, the records from the first time the new process was applied in production, the internal audit report that verified the fix held up, and screenshots or copies of any system configuration changes.

The principle is simple: if the NB auditor walked back into your building the day after you submitted the CAPA response, could they see the change, in operation, with records? If not, the evidence is incomplete.

Step 6. Submit inside the response window

Response windows are set by your Notified Body, typically 30 to 90 days from receipt of the audit report depending on the severity of the finding and the specific NB's rules. This window is not specified by the MDR itself. It is an NB convention applied consistently within that NB's procedures.

Submit on time. Late submissions damage the relationship and, for major findings, can block certification. If you realise during implementation that you cannot close a finding inside the window, contact the NB before the deadline, not after. Most NBs will grant a reasonable extension for genuine reasons if you ask before the window closes. None will grant one if you miss the deadline silently.

The response package typically includes a cover letter summarising the response, a table listing each finding with its status, the root cause analysis for each finding or group of findings, the corrective and preventive actions with owners and dates, the evidence of implementation attached or referenced by file name, and the effectiveness check plan.

Step 7. Verify effectiveness

EN ISO 13485:2016+A11:2021 clause 8.5.2 requires you to review the effectiveness of corrective action. This is not optional. A CAPA that closes without an effectiveness check is not closed. It is parked.

Effectiveness check means running a second look after the action has been in place long enough to know whether it worked. For a process change, the second look might be a sampled internal audit three months after implementation. For a training change, it might be a competency assessment. For a document control change, it might be a spot check that documents in use match documents in the QMS.

The effectiveness check does not always need to be in the CAPA response package submitted to the NB (depending on the NB's rules and the response window), but it always needs to be in your own records. If the NB follows up in a surveillance audit and asks "how did you verify the corrective action worked?", the answer must be a documented effectiveness check, not a shrug.

Common mistakes startups make

  • Treating the finding as the root cause. The finding is the symptom. The root cause is what allowed the symptom to exist. Stopping at the finding produces fixes that do not hold.
  • Fragmenting a systemic problem into individual CAPAs. Ten findings that share one root cause deserve one root cause analysis and one consolidated corrective action, not ten separate mini-CAPAs that all say the same thing.
  • Promising instead of implementing. A CAPA response that says "we will update the SOP by June 30" is not a response. It is a plan. The response needs the updated SOP attached.
  • Skipping preventive action. Fixing the immediate problem without asking "where else could this happen" leaves the underlying pattern in place. The next audit will find it somewhere else.
  • Missing the response window silently. If you need more time, ask before the deadline. Disappearing is the fastest way to convert a minor finding into a serious relationship problem with the NB.
  • Over-responding to minor findings. A minor finding does not need a twenty-page response. Match the weight of the response to the weight of the finding. Over-engineering looks like performance, not rigor.

The Subtract to Ship angle

Subtraction in CAPA response means cutting every action that does not trace to a real root cause. If your response package has ten corrective actions and only three of them address actual root causes, the other seven are waste. They consume time, dilute attention, and train the team to equate volume with quality.

The best CAPA responses are short, focused, and evidence-heavy. One clean root cause analysis. One corrective action that fixes the cause. One preventive action that protects the rest of the system. Evidence attached. Submitted on time. Nothing extra.

The worst CAPA responses are long, padded, and promise-heavy. Multiple overlapping actions. Generic language about "strengthening" or "enhancing." Timelines that extend past the response window. No concrete evidence. These responses fail even when they contain the right ideas, because the auditor cannot find the substance through the noise.

Subtract to Ship applied to CAPAs means: one root cause per problem, one action per cause, one piece of evidence per action, and nothing that does not survive the test.

Reality Check. Where do you stand?

  1. For the last finding your organization closed (in a real or mock audit), can you state the root cause in one sentence without mentioning the symptom?
  2. Did that finding's corrective action fix the cause or the symptom? How do you know?
  3. Did the response include a preventive action that addressed other places the same pattern could exist? What was it?
  4. Could an outside reviewer, reading your CAPA package without any additional context, verify from the evidence that the action was actually implemented?
  5. Do you have a documented effectiveness check for every closed CAPA, or do you close CAPAs on the day the action is completed?
  6. If you received ten findings tomorrow, could you tell within an hour which ones share a root cause and should be consolidated into a single analysis?
  7. Do you know the exact response window your Notified Body applies to major and minor findings, and where that rule is written down in your contract or the NB's procedures?

Frequently Asked Questions

Does the MDR specify response windows for audit non-conformities? No. The MDR itself does not specify response windows for Notified Body audit findings. Response windows are set by each Notified Body under the framework of MDR Annex VII (which defines NB requirements) and are typically 30 to 90 days depending on severity. The exact window for your case will be stated in the audit report or your NB contract.

Are "major" and "minor" non-conformities defined in the MDR? No. "Major" and "minor" are common conventions used by most Notified Bodies to classify the severity of findings, but the MDR itself does not use these labels. Your NB's procedures define what constitutes a major versus a minor finding and what response each triggers. When in doubt, ask the NB for their classification criteria in writing.

What happens if you miss the response deadline? For minor findings, missing the deadline damages the relationship and may escalate the finding to major in some NB procedures. For major findings, missing the deadline can block or suspend certification under Article 56. The correct move when you see you will miss a deadline is to contact the NB before the deadline and request an extension with a specific reason and a new date.

Can one CAPA cover multiple findings? Yes, and it should when the findings share a root cause. A single consolidated CAPA with one root cause analysis and one coordinated action plan is stronger than ten separate CAPAs that all trace back to the same issue. List the findings it covers explicitly in the CAPA record so the NB can verify the mapping.

Do you need to submit effectiveness check evidence with the CAPA response? It depends on the NB and the response window. Some NBs require the effectiveness check to be part of the response package. Others accept a documented effectiveness check plan at the time of response, with the actual check performed and recorded in your QMS for the next surveillance audit. Clarify with your NB which model applies.

How much documentation is too much for a CAPA response? If the package is longer than it needs to be to present the root cause, the action, and the evidence, it is too long. Auditors read hundreds of CAPA responses. They can spot padding instantly, and padding reduces, rather than increases, the perceived quality of the response. Short, specific, and evidence-rich beats long and generic every time.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 52 (conformity assessment procedures), Article 56 (certificates of conformity and EU declaration of conformity), Annex VII (requirements to be met by notified bodies), Annex IX (conformity assessment based on a quality management system and on assessment of technical documentation). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes, clause 8.5.2 (corrective action) and clause 8.5.3 (preventive action).

This post is part of the MDR Fundamentals & Regulatory Strategy series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Tibor has reviewed and closed hundreds of CAPA responses from the auditor side of the table and built them from the manufacturer side in his own companies. The discipline described here is the one that actually holds up under scrutiny.