The CAPA Process: 7-Step Workflow for Quality Teams
CAPA — corrective and preventive action — is the structured process a quality system uses to investigate a problem, fix its root cause, prevent it from recurring or spreading, and prove the fix worked. It’s the backbone of FDA 21 CFR 820 and ISO 13485 quality systems, and one of the most heavily scrutinized elements in a regulatory audit.
What is CAPA?
CAPA stands for corrective and preventive action. It’s a documented, closed-loop process: identify a nonconformance or potential nonconformance, investigate why it happened, act to correct it, act to prevent recurrence, and verify the action actually worked before closing the record.
The “corrective” half deals with a problem that already happened. The “preventive” half deals with a problem that hasn’t happened yet but could, based on trends or risk signals. Both halves rely on the same underlying discipline: root cause investigation, a documented action plan, and verification of effectiveness.
The 7-step CAPA process
Most mature quality systems run CAPA through the same core sequence, whether the trigger is a complaint, an audit finding, or a batch deviation. The steps below map directly to what FDA investigators and ISO 13485 auditors expect to see in a CAPA record.
- Identify and document the problem. Capture what happened, where, when, and how it was detected — a complaint, an OOS result, an internal audit finding, a supplier deviation. Vague descriptions (“mislabeling issue”) get flagged; specifics (“lot 4471-B, 12 units labeled with expired shelf-life date”) don’t.
- Evaluate scope and risk. Determine how big the problem is: one lot or ten, one line or the whole plant, a cosmetic defect or a patient-safety issue. This scoping decision drives urgency, containment level, and whether the issue needs to be escalated to a full CAPA at all.
- Contain the problem. Stop the immediate harm — quarantine affected lots, halt a line, notify affected customers — before the root cause is even fully understood. Containment is a stopgap, not a fix; it buys time for investigation.
- Investigate the root cause. This is the step regulators scrutinize hardest. Use a structured method — 5 Whys or a fishbone/Ishikawa diagram — rather than stopping at the first plausible explanation. A root cause analysis template keeps this step consistent and auditable across teams.
- Plan the corrective and preventive action. Corrective action addresses this specific occurrence (retrain the operator, fix the fixture). Preventive action addresses the underlying system gap so the same failure mode can’t recur elsewhere (update the work instruction, add a poka-yoke check, revise the training program).
- Implement the action plan. Execute the plan with assigned owners and target dates. Update the affected SOPs, training records, or equipment as part of implementation — an action plan that isn’t reflected in the actual procedures hasn’t really been implemented.
- Verify effectiveness and close. Confirm, with objective evidence gathered over a defined period, that the root cause is actually gone — not just that the action was completed. Only then does the CAPA record close.
| Step | Core question | Typical evidence |
|---|---|---|
| 1. Identify & document | What happened, and how do we know? | Complaint record, deviation report, audit finding |
| 2. Evaluate scope & risk | How big and how risky is this? | Risk assessment, affected-lot list |
| 3. Containment | How do we stop the bleeding now? | Quarantine record, hold notice |
| 4. Root cause investigation | Why did it really happen? | 5 Whys or fishbone worksheet |
| 5. Action plan | What will fix it and stop recurrence? | CAPA plan with owners, dates |
| 6. Implementation | Is the plan actually in place? | Updated SOP, training records |
| 7. Effectiveness check & closure | Did it actually work? | Trend data, repeat audit, follow-up sampling |
QualityManager.AI’s free 5 Whys and Fishbone tools can carry you through step 4 today — walk through an AI-guided root cause session and export the finished diagram straight into your CAPA record. A dedicated CAPA tracking module, with workflow, ownership, and effectiveness-check reminders built in, is on our roadmap but not yet live.
Corrective action vs. preventive action
The two halves of CAPA are easy to blur together, but they answer different questions: corrective action asks “how do we fix what already broke,” preventive action asks “how do we stop this from happening somewhere else, or at all.”
| Aspect | Corrective action | Preventive action |
|---|---|---|
| Trigger | A nonconformance that already occurred | A trend, risk signal, or near-miss — nothing has failed yet |
| Question answered | How do we fix this and stop it recurring here? | How do we stop this from ever occurring? |
| Example | Re-torque a batch of fasteners after a customer complaint about a loose fitting | Add a torque-verification step to the work instruction for all similar assemblies plant-wide |
| Example (pharma) | Retrain the operator who missed a in-process check on lot 2291 | Revise the batch record to require electronic sign-off at that check point for every lot |
| Timing | Reactive | Proactive |
In practice, a single CAPA record often contains both: a corrective action for the immediate lot or event, and a preventive action for the system-wide gap that let it happen.
Where CAPA sits in FDA 21 CFR 820 and ISO 13485
Under FDA 21 CFR 820, CAPA is codified in §820.100 as one of the quality system’s core subsystems — device manufacturers must have documented procedures for identifying nonconformances, investigating root cause, taking corrective and preventive action, verifying effectiveness, and communicating quality problems to responsible parties. ISO 13485 covers the same ground in clause 8.5, tying CAPA explicitly to risk management and requiring that actions be proportionate to the risk of the nonconformance.
Both frameworks expect the same underlying discipline: don’t just fix the symptom, prove you found the cause, and prove the fix stuck.
Common FDA 483 observation themes around CAPA
CAPA is consistently one of the most-cited areas in FDA inspections. Typical patterns investigators describe in warning letters and 483s include:
- Inadequate root cause investigation — the record states a root cause without evidence that alternative causes were ruled out, or stops at a symptom (“operator error”) instead of the underlying system gap.
- Missing or superficial effectiveness checks — the CAPA is closed based on “action completed” rather than data showing the problem actually stopped recurring.
- Unjustified or premature closures — records closed to hit a timeline target before the verification period has elapsed or before recurrence data is available.
- Scope too narrow — a corrective action fixes one line or one lot when the same root cause is present across other product lines or facilities.
These aren’t statistics from a specific inspection — they’re recurring patterns quality professionals describe across the industry, and they’re the reason steps 4 and 7 above (root cause and effectiveness verification) deserve the most rigor in any CAPA record.
When to open a CAPA vs. handle it as a routine correction
Not every deviation deserves a full CAPA. Risk-based thinking — required under ISO 13485 and consistent with FDA’s approach — means matching the level of process to the level of risk.
A routine correction is usually enough when the issue is isolated, low-risk, has an obvious and verifiable cause, and doesn’t affect product safety, efficacy, or regulatory compliance. Log it, fix it, move on.
A full CAPA is warranted when the issue recurs, affects patient or user safety, surfaces in an audit finding, shows up as a trend across multiple batches or complaints, or touches a process already flagged as high-risk in your risk assessment. The decision itself is worth documenting — an auditor may ask why a given deviation didn’t trigger a CAPA, and “we assessed it as low-risk and isolated” is a defensible answer only if the assessment is on record.
Building a CAPA process that holds up to audit
A CAPA process is only as strong as its weakest step — and in practice, that’s almost always root cause investigation or effectiveness verification. Standardizing those two steps with a consistent method, rather than leaving them to individual judgment call, is what separates a CAPA system that passes inspection from one that draws a 483.
Frequently asked questions
What's the difference between CAPA and corrective action?
Corrective action is one piece of CAPA — the fix applied after a nonconformance occurs. CAPA (corrective and preventive action) is the broader system: it includes corrective action for the problem at hand, plus preventive action to stop similar problems from happening elsewhere, and the documentation, root cause analysis, and effectiveness checks that tie it together.
What triggers a CAPA?
Common triggers include customer complaints, audit findings (internal or regulatory), out-of-specification test results, repeated nonconformances, supplier deviations, and adverse event or complaint trends. Not every deviation needs a full CAPA — organizations use risk-based criteria to decide which issues warrant the formal process versus a quick correction.
How long should a CAPA take to close?
There's no single regulatory deadline, but most quality systems set internal targets — commonly 30 to 90 days depending on risk level — with documented justification for extensions. Rushing a CAPA to hit a deadline before root cause is confirmed and effectiveness is verified is a common source of FDA 483 observations.
What counts as an effectiveness check?
An effectiveness check is objective evidence, gathered after a defined observation period, that the corrective or preventive action actually eliminated or reduced the root cause. Examples include a defect rate dropping and staying down across several production lots, zero recurrence of a specific complaint type over 6 months, or a repeat audit finding no repeat findings.
Does every nonconformance need a CAPA?
No. Risk-based thinking under ISO 13485 and FDA guidance means low-risk, isolated issues can often be handled as a routine correction — fix it, document it, move on. A CAPA is reserved for problems that are recurring, high-risk, systemic, or tied to product safety and regulatory compliance.