What Is CAPA (Corrective & Preventive Action)?

CAPA is a structured investigation that takes a real problem (a deviation, a complaint, an audit finding, an out-of-spec result, a trend) through containment, root cause, corrective action, preventive action, effectiveness check, and closure — with evidence at every step. It is not: a one-line 'retrained operator' entry on a form; a synonym for 'we wrote a memo'; the same thing as a deviation; or a way to close a finding without changing anything in the process. The single biggest mistake is treating CAPA as documentation. CAPA is the change. The document is just the trail.

CAPA is required by FDA 21 CFR 820.100 (medical devices), 21 CFR 211.192 (drug cGMP, framed as 'investigation of discrepancies and failures'), 21 CFR 111.140 (dietary supplements), 21 CFR 117 / FSMA (food), and is explicit in ISO 13485 §8.5.2/3, ISO 9001 §10.2, IATF 16949 and most GFSI food standards (BRCGS, SQF, FSSC 22000). The wording differs but the spine is the same: identify the problem, find the root cause, fix it, prevent recurrence, prove the fix worked. EU GMP Annex 15 and PIC/S add formality around the change-control link. The 2018 FDA Case for Quality program flagged 'CAPA effectiveness' as the single highest-leverage indicator of a healthy quality system — inspectors look here first.

A defensible CAPA runs eight steps. (1) Identification: the trigger event — deviation, complaint, audit finding, trend — opens a CAPA with a clear problem statement. (2) Evaluation: do we need a CAPA at all, or is this a one-off correction? Document the decision either way. (3) Containment: what immediate action stops more bad product or bad data right now? (4) Investigation: gather the facts — batches, equipment, people, materials, environment, methods. (5) Root cause analysis: 5-Whys, fishbone, fault tree — pick a method and use it; 'human error' is never a root cause. (6) Corrective action: the fix for what already went wrong. (7) Preventive action: the change that stops it happening elsewhere. (8) Effectiveness check: a deliberate, dated verification — usually 30/60/90 days out — that the action actually worked. Skip step 8 and the CAPA becomes a finding next inspection.

Five patterns dominate Form 483s and audit findings. (1) Root cause = 'human error' or 'operator did not follow procedure' with no investigation of *why* — the SOP was unclear, training was thin, the workstation forced the error, etc. (2) Corrective action is 'retrain' with no change to the procedure, layout or system that produced the error. (3) Preventive action is missing entirely. (4) Effectiveness check is missing or scheduled and never done. (5) CAPA closed before the effectiveness check completes. Behind all five is the same thing: CAPA treated as a form-filling exercise rather than a real change. The fastest way to spot a healthy quality system from the outside is to read three closed CAPAs at random; the fastest way to spot a broken one is the same.

CAPAs don't appear from nowhere. They are triggered by deviations on the floor, by customer complaints, by internal audit findings, by external audit findings, by supplier non-conformances, by trend signals (e.g., the same in-process check failing across 4 batches). The link matters: an inspector pulls a complaint, asks for the CAPA, then asks for the deviation that the same root cause produced six months earlier. If the records aren't linked, the answer is incoherent. The defensible posture is one platform where complaints, deviations, audits, supplier NCRs and trend alerts all open CAPAs by structured link — and the CAPA carries the lineage back to every event it addresses.

Small and mid-size manufacturers don't have a 4-person CAPA team — and they shouldn't need one. The work is reducible to good tooling plus disciplined ownership. Use a system that (a) opens a CAPA from any trigger in one click, (b) forces a real RCA method, (c) names a single owner with a due date, (d) reminds owners before the date and escalates after, (e) blocks closure without an effectiveness check, (f) surfaces overdue and ineffective CAPAs to the management-review dashboard automatically. With that, one QA owner can run 50+ open CAPAs without losing visibility. Without it, three people will lose visibility on 20.