Corrective and Preventive Action (CAPA) Compliance
Corrective and Preventive Action (CAPA) is a foundational quality management mechanism required by federal regulations across the medical device, pharmaceutical, food, and aerospace industries. CAPA systems compel organizations to identify root causes of nonconformances, implement corrections, and take systematic steps to prevent recurrence. Regulatory bodies including FDA, ISO standards bodies, and the FAA treat CAPA program effectiveness as a primary indicator of quality system health during audits and inspections.
- Definition and scope
- Core mechanics or structure
- Causal relationships or drivers
- Classification boundaries
- Tradeoffs and tensions
- Common misconceptions
- Checklist or steps (non-advisory)
- Reference table or matrix
Definition and scope
CAPA refers to a structured set of activities that addresses detected nonconformities (corrective action) and eliminates the potential for nonconformities that have not yet occurred (preventive action). Under 21 CFR Part 820, the FDA's Quality System Regulation for medical devices, CAPA is codified at §820.100 and requires manufacturers to implement procedures for analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other quality data sources to identify existing and potential causes of nonconforming product or quality problems.
The scope of CAPA obligations extends beyond medical devices. FDA's pharmaceutical regulations under 21 CFR Part 211 embed CAPA principles within Current Good Manufacturing Practice (cGMP) requirements for finished pharmaceuticals. ISO 9001:2015, published by the International Organization for Standardization, mandates corrective action at clause 10.2 for any organization seeking third-party certification. ISO 13485:2016, the medical device quality management standard, dedicates clause 8.5.2 to corrective action and clause 8.5.3 to preventive action as distinct but related obligations.
The regulatory scope also touches aerospace: AS9100 Rev D, published by SAE International and widely adopted by aerospace prime contractors, incorporates CAPA requirements consistent with ISO 9001:2015 but with additional risk management and configuration control expectations. For the food industry, FDA's 21 CFR Part 117 Hazard Analysis and Risk-Based Preventive Controls (HARPC) framework under FSMA parallels CAPA logic through its preventive control verification and corrective action provisions.
Core mechanics or structure
A functional CAPA system operates in discrete, documented phases. The first phase is problem identification and documentation, where a triggering event—a customer complaint, internal audit finding, nonconformance report, or process deviation—initiates a formal CAPA record. This record establishes the scope of the problem and links it to affected product lots, processes, or systems.
The second phase is root cause analysis (RCA). Regulatory guidance and industry practice recognize multiple RCA methods: the Ishikawa (fishbone) diagram, 5-Why analysis, fault tree analysis (FTA), and Failure Mode and Effects Analysis (FMEA). FDA guidance on process validation references the importance of statistical tools in understanding process variation, which directly informs RCA methodology.
The third phase is action planning and implementation, divided into immediate containment (stopping the spread of a known nonconformance) and long-term systemic correction. The fourth phase is effectiveness verification, which confirms that the implemented action produced the intended outcome without introducing new risks. The fifth phase is closure and documentation, including retention of records per the applicable regulatory requirements—21 CFR §820.100(b) specifically requires CAPA records to be maintained.
The nonconformance reporting requirements process feeds directly into CAPA initiation, making the two systems tightly coupled in any compliant quality management framework.
Causal relationships or drivers
CAPA systems are triggered by a specific set of upstream inputs. Customer complaints represent one of the highest-priority drivers; FDA's 21 CFR §820.198 requires that complaint files be reviewed to determine whether complaints represent events that should be reported and whether they necessitate CAPA investigation.
Internal audit findings are the second major driver. Under ISO 9001:2015 clause 9.2, internal audits must produce documented findings, and clause 10.2 requires corrective action for any nonconformity regardless of whether it originated in an audit, customer complaint, or process monitoring. Audit readiness for quality control practices directly influence how efficiently CAPA inputs are identified and documented.
Product and process data—including statistical process control (SPC) trends, out-of-specification results, and supplier quality data—constitute the third major driver category. When statistical process control compliance detects systematic drift before a nonconformance occurs, the resulting CAPA is classified as preventive rather than corrective. Management review, mandated under ISO 9001:2015 clause 9.3, is also a formal mechanism for identifying CAPA inputs at the system level.
Classification boundaries
CAPA contains 3 distinct sub-classifications that are frequently conflated:
Correction addresses an existing nonconformity without investigating or eliminating its root cause. Reworking a defective batch is a correction, not a corrective action. ISO 9000:2015 clause 3.12.3 formally defines "correction" as a distinct term from "corrective action."
Corrective Action addresses a detected nonconformance by eliminating its root cause to prevent recurrence. This requires RCA and documented evidence that the cause has been addressed systemically.
Preventive Action addresses a potential nonconformance—one that has not yet occurred—by eliminating the potential cause. ISO 9001:2015 absorbed preventive action into its broader risk management framework under clause 6.1, so standalone preventive action subsections are more explicit in ISO 13485:2016 and 21 CFR Part 820 than in the general-purpose quality standard.
Supplier-initiated CAPA (commonly "Supplier CAPA" or "SCAR—Supplier Corrective Action Request") operates under supplier quality compliance frameworks and carries additional documentation requirements when the customer is a regulated manufacturer passing obligations downstream.
Tradeoffs and tensions
One persistent tension in CAPA management is scope versus cycle time. A thorough root cause investigation on a complex systemic failure can take 60 to 90 days, while FDA inspection cycles and customer audit schedules create pressure for rapid closure. Closing a CAPA prematurely without verified effectiveness is a documented 483 observation category, meaning FDA investigators cite it as an inspectional observation under 21 CFR §820.100.
A second tension involves over-CAPAing minor issues. Quality systems that route every minor deviation through a full CAPA process create administrative burden that can mask high-risk items. ISO 9001:2015 and FDA guidance both contemplate proportionality—CAPA depth should be commensurate with risk. This tension is managed through risk-based prioritization, which is addressed directly in risk-based quality compliance frameworks.
A third tension is the corrective-versus-preventive boundary. Organizations operating under ISO 13485:2016 must maintain separate preventive action records, whereas ISO 9001:2015-certified organizations may fold prevention into risk management records. When a site is dual-certified, this creates documentation architecture challenges that require explicit procedural reconciliation.
Common misconceptions
Misconception 1: Containment equals corrective action. Quarantining defective product stops the immediate problem but does not eliminate the root cause. FDA Warning Letters have repeatedly cited manufacturers for documenting containment activities as completed CAPAs without evidence of root cause investigation or systemic correction.
Misconception 2: CAPA only applies to product defects. 21 CFR §820.100(a) explicitly lists "processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data" as CAPA inputs. Process failures, documentation errors, and supplier performance gaps all qualify.
Misconception 3: Closing a CAPA ends the obligation. Effectiveness verification must precede closure. FDA's Quality System Regulation guidance states that effectiveness checks are required to confirm the corrective or preventive action did not adversely affect the finished device and that the action was effective.
Misconception 4: Preventive action is optional under ISO 9001:2015. While clause 8.5.3 no longer exists in ISO 9001:2015 as it did in the 2008 version, preventive action intent migrated into clause 6.1 (Actions to address risks and opportunities). The obligation is structural—only its labeling changed.
Checklist or steps (non-advisory)
The following sequence represents the documented phases of a complete CAPA record as described in FDA QSR and ISO 13485:2016 requirements:
- Trigger identification — Document the source event (complaint, audit finding, SPC signal, nonconformance report, or management review output) and assign a unique CAPA record number.
- Problem statement — Define the scope of the nonconformance, including affected product, process, lot numbers, date ranges, and known extent.
- Immediate containment — Document any containment actions taken (quarantine, hold, customer notification) and classify them explicitly as corrections, not corrective actions.
- Root cause analysis — Apply a named RCA methodology (5-Why, fishbone, FTA, FMEA) and document the analysis chain from symptom to root cause with supporting data.
- Action plan development — Define corrective or preventive actions at the root cause level, assign owners, and establish due dates.
- Implementation — Execute planned actions and document completion with objective evidence (revised procedures, training records, engineering changes).
- Effectiveness verification — Establish a verification method (re-audit, statistical sampling, process monitoring over defined period) and document results against predetermined acceptance criteria.
- CAPA closure — Review all phases for completeness, obtain required signatures, and file the completed record per retention requirements (minimum 2 years post-device market life under 21 CFR §820.180).
- Trend analysis — Aggregate closed CAPAs into periodic trend reports for management review input per ISO 9001:2015 clause 9.3.
Reference table or matrix
| Framework | Governing Clause / Section | Corrective Action Required | Preventive Action Required | Effectiveness Check Required |
|---|---|---|---|---|
| FDA 21 CFR Part 820 (QSR) | §820.100 | Yes | Yes | Yes |
| FDA 21 CFR Part 211 (cGMP Pharma) | §211.192, §211.198 | Yes | Implied via OOS/deviation procedures | Yes |
| ISO 9001:2015 | Clause 10.2 / Clause 6.1 | Yes | Via risk management (Cl. 6.1) | Yes |
| ISO 13485:2016 | Clauses 8.5.2 & 8.5.3 | Yes | Yes (standalone clause) | Yes |
| AS9100 Rev D | Clause 10.2 | Yes | Via risk management | Yes |
| FDA 21 CFR Part 117 (FSMA) | §117.150, §117.145 | Yes | Yes (preventive controls) | Yes |
| EU MDR 2017/745 | Annex IX, Chapter I, §3 | Yes | Yes | Yes |
References
- FDA 21 CFR Part 820 — Quality System Regulation (eCFR)
- FDA 21 CFR Part 211 — Current Good Manufacturing Practice for Finished Pharmaceuticals (eCFR)
- FDA 21 CFR Part 117 — Current Good Manufacturing Practice, Hazard Analysis, and Risk-Based Preventive Controls (eCFR)
- FDA Guidance: Quality Systems Approach to Pharmaceutical cGMP Regulations
- FDA Guidance: Process Validation — General Principles and Practices
- ISO 9001:2015 — Quality Management Systems Requirements
- ISO 13485:2016 — Medical Devices Quality Management Systems
- ISO 9000:2015 — Quality Management Systems — Fundamentals and Vocabulary
- SAE AS9100 Rev D — Quality Management Systems for Aviation, Space, and Defense
- EU Regulation 2017/745 — Medical Device Regulation (EUR-Lex)