CAPACorrective Action and Preventive Action

CAPA — Corrective Action and Preventive Action — is the disciplined, documented process by which a regulated company identifies the root cause of a quality problem, eliminates it, prevents it from recurring, and verifies the fix worked. It is the most-inspected subsystem in any regulated quality system. The FDA's Quality System Inspection Technique (QSIT) explicitly lists CAPA as one of the four major subsystems an investigator targets, alongside Production & Process Controls, Management Controls, and Design Controls.

CAPA is required, in essentially the same shape, by every regulatory regime that governs regulated manufacturing. 21 CFR 820.100 (medical devices), 21 CFR 211.192 (pharmaceuticals), ISO 13485 §8.5.2/§8.5.3 (medical-device QMS), ISO 9001 §10.2 (general QMS), 21 CFR 117/507 (food/PCQI), and every GFSI scheme (SQF, BRCGS, FSSC 22000). The wording differs; the eight-step expectation is identical.

These three terms are often used interchangeably and they should not be. Mixing them is the most common reason a CAPA is rejected at audit.

A CAPA record that does only the correction (quarantine the batch) without addressing the root cause is sometimes called a 'CAPA' colloquially but is, strictly, just a correction. Inspectors look for evidence of root-cause analysis, the specific corrective action, and where appropriate the preventive action across other potentially affected processes.

820.100(a) is the headline: 'Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action.' The clause then enumerates seven required activities, which together are the CAPA lifecycle.

1. Analysing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product and other sources of quality data to identify existing and potential causes of nonconforming product or other quality problems.
2. Investigating the cause of nonconformities relating to product, processes and the quality system.
3. Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems.
4. Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device.
5. Implementing and recording changes in methods and procedures needed to correct and prevent identified quality problems.
6. Ensuring that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems.
7. Submitting relevant information on identified quality problems, as well as corrective and preventive actions, for management review.

820.100(b) closes with the requirement that all activities under (a) and their results 'shall be documented'. This is the basis for the eight-step CAPA record every Notified Body and the FDA expects to see.

ISO 13485:2016 splits CAPA across two sub-clauses. §8.5.2 governs Corrective Action: review nonconformities (including complaints), determine causes, evaluate the need for action to ensure nonconformities do not recur, determine and implement action, record activities and results, review effectiveness. §8.5.3 governs Preventive Action: determine action to eliminate causes of potential nonconformities, evaluate the need, determine and implement action, record results, review effectiveness.

The 2016 revision tightened the documentation expectation. Every step must produce a record, and the effectiveness review is now a mandated activity rather than implied. A CAPA closed without an effectiveness-check record is a Notified Body finding.

Decomposing 820.100 and ISO 13485 §8.5.2/§8.5.3 yields the canonical eight-step CAPA lifecycle. Every audit-defensible CAPA record walks these eight steps explicitly, with evidence at each one.

1. Identification

Source: complaint, NCR, deviation, OOS, audit finding, management review trigger, trend analysis. Description of the problem in objective terms. Initial classification of risk and impact.

2. Triage and CAPA decision

Not every NCR becomes a CAPA. A trivial one-off may be closed at the NCR level with a documented rationale. A systemic issue, a repeat, or a high-impact event escalates. The triage decision and its rationale must be recorded.

3. Investigation and root cause analysis

Structured RCA technique — 5 Whys, fishbone (Ishikawa), fault tree, FMEA. The record captures the technique used, the data examined, the people involved, and the identified root cause. 'Operator error' alone is rarely an acceptable root cause; investigators are expected to dig into why the system permitted the error.

4. Action planning

Define the correction (immediate containment), the corrective action (root-cause elimination), and where appropriate the preventive action (across similar processes). Each action has an owner, a due date, and a defined deliverable.

5. Implementation

Execute the actions. Document the changes made — SOP revisions, retraining, equipment changes, process changes. Cross-link the change control records.

6. Verification of implementation

Confirm the actions were actually completed as planned. Sign-off by the action owner; verification by an independent reviewer.

7. Effectiveness check

Run a defined period after implementation. Did the corrective action prevent recurrence? Look at trend data, complaint data, repeat NCRs. The effectiveness criterion must be defined before the check, not invented at the check.

8. Closure

Two-component e-signature by the quality unit. Closure rationale references the verification and effectiveness evidence. The CAPA cannot be closed if effectiveness is not yet demonstrated; in that case it remains open with a documented extension.

The choice of RCA technique should match the complexity of the problem. A simple one-off process slip is well served by 5 Whys. A complex equipment failure benefits from fault-tree analysis. A process-design problem calls for FMEA. The technique must be documented in the CAPA record.

• 5 Whys — iteratively ask why until a fundamental cause is identified. Best for simple, linear problems. Fast, defensible, easy to teach.
• Fishbone / Ishikawa — visualise contributing causes across six categories (Man, Machine, Method, Material, Measurement, Environment). Best for problems with multiple potential causes.
• Fault tree analysis — top-down deductive tree from event to causes. Best for complex equipment or system failures.
• FMEA — Failure Mode and Effects Analysis. Best for proactive risk identification on new processes or as a preventive-action technique.
• Pareto analysis — frequency distribution of NCR causes. Best for identifying which class of problem deserves CAPA attention next.

Whatever technique is used, the output must be a single, testable root-cause statement and not a list of contributing factors. 'The HPLC was out of calibration because the calibration schedule was not enforced by the system' is testable; 'multiple factors contributed' is not.

The effectiveness check is where most CAPAs fail. The pattern: the CAPA is opened, the investigation is run, actions are implemented, the implementation is verified, and the CAPA is closed — without ever confirming the actions actually solved the problem. Six months later the same NCR recurs. The auditor pulls both records and asks why the effectiveness check did not catch it.

An effective effectiveness check has four characteristics. First, the criterion is defined in advance — 'zero recurrence over the next 90 days', not 'check if things improved'. Second, the data source is defined — which NCR category, which complaint code, which audit trail event. Third, the check window runs long enough to detect recurrence — typically 30 to 180 days depending on the cycle of the underlying process. Fourth, the result is documented with a yes/no determination and a rationale.

1. Root cause stated as 'operator error' without explaining why the system permitted the error.
2. Correction logged as a CAPA — the symptom was contained but the root cause was never investigated.
3. No effectiveness-check record — the CAPA closed before the verification window ran.
4. Action due dates routinely extended without documented rationale.
5. CAPA closed by the same person who performed the actions — independence broken.
6. Preventive action not considered for similar processes — repeat NCR on a parallel line.
7. Management review excludes overdue CAPAs — visibility broken at the top.
8. CAPA tied to an NCR that itself was misclassified — wrong root cause investigated.
9. Change-control records do not link to the CAPA — the action was taken but the audit trail does not connect them.
10. Trend analysis not performed — the same root cause keeps producing new CAPAs and no one notices.

820.100(a)(7) and ISO 13485 §5.6 both require CAPA information to be fed into management review. Management review must see: open CAPAs by severity and age, overdue CAPAs and the reason, CAPAs closed without effectiveness demonstrated, trend analysis showing CAPA causes by category, and any CAPA escalations from external sources (complaints, recalls, audit findings).

A CAPA programme invisible to management is a programme without escalation paths. The number-one Warning Letter pattern is a quality unit that knew of recurring CAPAs but could not get the resourcing or authority to fix the underlying cause. Management review is the structural answer.

V5 treats CAPA as a structured workflow, not a free-form document. Every CAPA walks the eight-step lifecycle with evidence at each step, e-signatures at every transition, and effectiveness-check enforcement at closure.

• CAPAs are triggered from NCRs, deviations, OOS, complaints, audit findings or directly from management review. Every CAPA carries a link to its trigger source.
• Triage decision (does this NCR become a CAPA?) is logged with rationale; a not-a-CAPA decision closes the NCR with documented justification.
• Root-cause analysis uses a structured RCA template (5 Whys, fishbone or fault tree) — the technique is captured and the testable root-cause statement is required before the CAPA can advance.
• Each action carries an owner, a due date, and a deliverable. Overdue actions auto-escalate to the responsible role and surface in management-review dashboards.
• Implementation links to change-control records — SOP revisions, training-record updates, equipment changes — through structured references rather than free text.
• Verification of implementation is a two-component e-signature step by an independent reviewer; the action owner cannot self-verify.
• Effectiveness check enforces the four characteristics: pre-defined criterion, pre-defined data source, pre-defined window, documented yes/no result. The CAPA cannot be closed without a passing effectiveness-check record.
• Closure is two-component e-signature by the quality unit; the audit trail records the meaning ('CAPA closed — effectiveness demonstrated') and the supporting evidence.
• Trend analysis runs continuously over CAPA root-cause categories and surfaces repeat patterns to management review.

See below for regulator-grade answers to the questions buyers ask most often about CAPA.