Corrective and Preventive Action (CAPA) Compliance Requirements
Corrective and Preventive Action (CAPA) is a structured quality management mechanism required under multiple federal regulations and international standards, with mandatory applicability in medical devices, pharmaceuticals, aerospace, food manufacturing, and software-intensive industries. CAPA compliance obligations define how organizations identify, investigate, and eliminate the causes of nonconformances — both those that have already occurred (corrective) and those that are anticipated (preventive). Failure to maintain a compliant CAPA system is among the most frequently cited deficiencies in FDA Warning Letters and ISO 9001 surveillance audits.
Definition and scope
CAPA encompasses two distinct but operationally linked processes within a quality management system (QMS). The U.S. Food and Drug Administration codifies CAPA requirements for medical device manufacturers under 21 CFR Part 820.100, which mandates procedures for analyzing quality data, identifying nonconforming product causes, verifying corrective actions, and disseminating information to responsible personnel. The FDA's Center for Drug Evaluation and Research extends analogous requirements to pharmaceutical manufacturers under 21 CFR Part 211 and, for biologics, under 21 CFR Part 600.
ISO 9001:2015, published by the International Organization for Standardization, addresses CAPA implicitly through Clause 10.2 (Nonconformity and Corrective Action) and Clause 6.1 (Actions to Address Risks and Opportunities). Under ISO 9001, preventive action is embedded within risk-based thinking rather than treated as a separate procedural element, a structural departure from legacy versions of the standard. The AS9100 Rev D standard, governing aerospace and defense quality systems, preserves an explicit preventive action requirement alongside corrective action obligations, reflecting the sector's zero-defect tolerance philosophy.
Scope determinations depend on regulatory regime, industry classification, and contractual obligation. A medical device manufacturer subject to 21 CFR Part 820 carries statutory CAPA obligations regardless of certification status; an ISO 9001-certified manufacturer in a non-regulated sector carries obligations defined by the standard's audit criteria and customer contracts. Full definitions of key terms applicable across these frameworks are available at quality-assurance-definitions.
How it works
A compliant CAPA process follows a discrete sequence of phases. The FDA's CAPA guidance documents and ISO 9001 Clause 10 together describe a process architecture that includes:
- Problem identification — Detection of a nonconformance, complaint, audit finding, or process deviation that triggers CAPA initiation.
- Scope and containment — Immediate containment actions to prevent further impact; this phase is distinct from root cause resolution.
- Root cause analysis (RCA) — Systematic investigation using methods such as fishbone diagrams, 5-Why analysis, or fault tree analysis to identify underlying cause(s). The root cause analysis framework governs the analytical tools recognized across major standards.
- Action planning — Development of specific corrective and/or preventive actions with defined owners, resources, and timelines.
- Implementation — Execution of planned actions, which may include process changes, equipment recalibration, retraining, or change control procedures.
- Effectiveness verification — Objective evidence collection confirming that implemented actions resolved the root cause and did not introduce new nonconformances. FDA 21 CFR Part 820.100(b) explicitly requires this verification step.
- Documentation and closure — Records of all phases, maintained per applicable record retention requirements, with closed CAPAs available for management review.
Under ISO 9001:2015, effectiveness verification results feed directly into the organization's continual improvement process under Clause 10.3. The continuous improvement framework describes how CAPA outputs integrate with broader QMS performance monitoring.
Common scenarios
CAPA obligations are triggered across a range of operational contexts:
- Customer complaints — A medical device manufacturer receiving 3 or more complaints within a 30-day window for the same product defect code is typically required to initiate a CAPA rather than handle each complaint as an isolated event, per FDA complaint handling requirements under 21 CFR Part 820.198.
- Internal audit findings — A major nonconformance identified during an ISO 9001 internal audit requires a formal corrective action; minor nonconformances may be addressed through correction alone, depending on the certification body's grading criteria.
- Supplier nonconformances — A supplier delivering out-of-specification components triggers both immediate disposition and a CAPA directed at the supplier's process, with verification that the supplier implemented effective action.
- Process deviations in pharmaceutical manufacturing — Under 21 CFR Part 211.192, any unexplained discrepancy in drug production batch records requires investigation, which constitutes the RCA phase of a pharmaceutical CAPA.
- Software anomalies — In regulated software development environments governed by IEC 62304 or FDA's Software as a Medical Device (SaMD) guidance, defects above a defined severity threshold require formal CAPA documentation.
Decision boundaries
The critical classification boundary in CAPA practice is the distinction between correction, corrective action, and preventive action:
| Term | Definition | Trigger |
|---|---|---|
| Correction | Immediate action to eliminate a detected nonconformity (rework, scrap) | Detected nonconformance |
| Corrective action | Action to eliminate the cause of a detected nonconformance | Detected nonconformance with recurrence risk |
| Preventive action | Action to eliminate the cause of a potential nonconformance | Risk analysis, trend data, near-miss events |
ISO 9001:2015 absorbed preventive action into risk management; AS9100 Rev D and FDA 21 CFR Part 820 retain it as an explicit, separately documented requirement. Organizations operating across multiple frameworks must map their CAPA procedures to the most demanding applicable standard.
A second boundary governs escalation: not every deviation requires a full CAPA. Organizations define threshold criteria — often expressed as severity ratings, recurrence frequency, or regulatory significance — that distinguish events requiring CAPA from those addressable through correction alone. These thresholds must themselves be documented within the QMS, typically in the quality manual or a dedicated CAPA procedure, and are subject to review during third-party audits conducted under the third-party audit framework.