Corrective and Preventive Action (CAPA) Compliance Requirements

Corrective and Preventive Action (CAPA) is a structured quality system mechanism required across regulated industries — including medical devices, pharmaceuticals, aerospace, and automotive manufacturing — to identify, investigate, and eliminate the root causes of nonconformances and potential failures. Regulatory frameworks from the U.S. Food and Drug Administration (FDA), International Organization for Standardization (ISO), and sector-specific bodies such as AS9100 and IATF 16949 impose specific procedural and documentation requirements on CAPA systems. Failure to maintain an adequate CAPA system is one of the most frequently cited findings during regulatory inspections. This page covers the definition and regulatory scope of CAPA, how the process functions, common triggering scenarios, and the boundaries between corrective and preventive action types.

Definition and scope

CAPA encompasses two distinct but related activities. Corrective action addresses a nonconformance that has already occurred — investigating its root cause and implementing changes to prevent recurrence. Preventive action addresses a potential nonconformance identified through trend analysis, risk assessment, or proactive audit, implementing changes before a failure materializes.

Under 21 CFR Part 820 — the FDA's Quality System Regulation for medical devices — CAPA is codified at §820.100, which requires manufacturers to establish and maintain procedures for implementing corrective and preventive actions and to verify or validate those actions to ensure they are effective. The FDA's 2023 final rule aligning Part 820 with ISO 13485:2016 further reinforced CAPA as a foundational element of the Quality Management System (QMS).

For pharmaceutical manufacturers, 21 CFR Part 211 — Current Good Manufacturing Practice regulations — establishes corrective action obligations within laboratory controls (§211.192) and complaint handling (§211.198), though the term "CAPA" is used in agency guidance rather than the statute itself.

ISO 9001:2015, the internationally recognized quality management standard, addresses corrective action at clause 10.2 and eliminates the standalone preventive action clause present in earlier versions, instead embedding preventive thinking throughout risk-based planning under clause 6.1. This distinction matters for organizations seeking ISO 9001 compliance: preventive action is no longer a separate procedural requirement but an integrated risk management discipline.

How it works

A compliant CAPA process follows a structured sequence. The steps below reflect the general framework recognized by FDA guidance documents and ISO standards:

Problem identification — A nonconformance, customer complaint, audit finding, or trend signal triggers initiation of a CAPA record. Source inputs include internal audits, inspection findings, production data, and field reports.
Containment — Immediate actions are taken to limit the impact of an existing nonconformance (e.g., quarantine of affected product). Containment is not root cause resolution; it is short-term risk reduction.
Root cause analysis (RCA) — Structured analytical tools such as Fishbone (Ishikawa) diagrams, 5-Why analysis, or Failure Mode and Effects Analysis (FMEA) are applied to determine the actual systemic cause, not just the symptom.
Action plan development — Corrective or preventive measures are defined, assigned to responsible owners, and given target completion dates.
Implementation — Actions are executed, which may include process changes, equipment calibration, document control updates, or personnel retraining.
Verification of effectiveness — Evidence is collected to confirm the action resolved the root cause. FDA guidance explicitly requires this step; ineffective closure is a common inspection finding.
CAPA closure and record retention — The completed CAPA record is reviewed, approved, and retained per applicable record-keeping requirements (21 CFR §820.198; ISO 13485 clause 4.2.5).

Organizations operating under GMP compliance requirements must ensure CAPA records are attributable, legible, contemporaneous, original, and accurate (ALCOA principles), particularly when records may be reviewed during FDA inspections.

Common scenarios

CAPA processes are triggered across a wide range of quality events. The following represent the most frequently encountered scenarios in regulated environments:

Customer complaints alleging product defect or injury, which under 21 CFR §820.198 must be evaluated to determine whether a CAPA investigation is warranted.
Internal audit findings where a process deviation or system gap is identified — a direct link exists between internal audit compliance programs and CAPA initiation thresholds.
Supplier-caused nonconformances, where incoming material or components fail acceptance criteria, triggering CAPA on the supply chain rather than internal operations.
Out-of-specification (OOS) laboratory results, particularly in pharmaceutical manufacturing, where 21 CFR §211.192 requires a written investigation.
Field failures or product returns, where post-market surveillance data indicates a systemic product performance issue.
Repeat nonconformances, where the same defect recurs across multiple production lots or time periods, indicating that a prior corrective action was ineffective.

In the aerospace sector, AS9100 compliance requires organizations to document the results of corrective actions and retain evidence that actions were effective, with particular attention to recurring escape events.

Decision boundaries

The boundary between corrective and preventive action — and between a CAPA and a simpler disposition — is a common source of procedural confusion in audits.

Corrective action vs. disposition: Not every nonconformance requires a full CAPA. Organizations typically apply a severity or risk threshold. A single, isolated cosmetic defect with no safety impact may be resolved through nonconformance compliance management disposition alone. A recurring defect, a safety-critical failure, or a regulatory reporting threshold breach triggers a full CAPA.

Corrective action vs. preventive action: Corrective action is retrospective — a nonconformance has occurred. Preventive action is prospective — analysis of data, trends, or risk assessments identifies a potential failure before it occurs. Under ISO 9001:2015, preventive action is embedded in clause 6.1 risk planning rather than a separate CAPA record, whereas under 21 CFR §820.100, both remain distinct documented activities.

Systemic vs. isolated root cause: When root cause analysis determines a failure is systemic (affecting a process, design, or system), the scope of corrective action must address the system, not merely the affected units. FDA Form 483 observations frequently cite CAPAs that addressed symptoms rather than systemic root causes.

Effectiveness verification criteria: A CAPA is not closed until effectiveness is verified against pre-defined acceptance criteria. Verification methods include re-audit of the affected area, statistical sampling of corrected process output, or a defined monitoring period. The acceptance criteria must be established before implementation — not after — to prevent confirmation bias in effectiveness review.

Organizations managing risk-based compliance QA programs integrate CAPA thresholds directly into their risk registers, using criticality ratings to prioritize investigation depth and response timelines proportionate to patient, user, or operational risk.

References

📜 1 regulatory citation referenced · 🔍 Monitored by ANA Regulatory Watch · View update log

Explore This Site

Services & Options Compliance: Standards Overview Regulations & Safety Regulatory References Tools & Calculators Contractor License Fee Calculator