If there is one quality system process that auditors scrutinize more than any other, it is CAPA. Corrective and Preventive Action sits at the heart of ISO 13485 compliance — and for good reason. A weak CAPA system is the single most reliable predictor of recurring nonconformities, regulatory citations, and ultimately, patient harm.
After working with 200+ medical device companies at Certify Consulting, I have reviewed hundreds of CAPA systems. The pattern is consistent: organizations that treat CAPA as a bureaucratic checkbox struggle in audits and in the field. Organizations that treat CAPA as a genuine problem-solving engine build quality cultures that sustain themselves.
This guide covers everything you need to know about CAPA under ISO 13485:2016 — from the regulatory requirements and root cause methodology to documentation best practices and common audit findings.
What Is CAPA in the Context of ISO 13485?
Corrective and Preventive Action (CAPA) is a structured quality system process for identifying, analyzing, and eliminating the causes of nonconformities — both those that have already occurred (corrective) and those that could potentially occur (preventive).
Under ISO 13485:2016, CAPA requirements are addressed primarily in:
- Clause 8.5.2 — Corrective Action
- Clause 8.5.3 — Preventive Action
These clauses sit within Section 8 (Measurement, Analysis, and Improvement) alongside complaint handling (8.2.2), internal audit (8.2.4), and nonconforming product control (8.3). Together, these processes feed your CAPA system with inputs.
Corrective Action vs. Preventive Action: What's the Difference?
The distinction matters more than most organizations realize:
| Dimension | Corrective Action | Preventive Action |
|---|---|---|
| Trigger | Actual nonconformity or defect | Potential nonconformity or risk |
| Timing | Reactive — problem has occurred | Proactive — problem hasn't happened yet |
| ISO 13485 Clause | 8.5.2 | 8.5.3 |
| FDA 21 CFR Part 820 Equivalent | 820.100 | 820.100 |
| Data Sources | Complaints, audits, NCRs, failures | Risk analysis, trend data, supplier data |
| Common Challenge | Shallow root cause analysis | Under-utilized due to reactive culture |
| Regulatory Scrutiny | Very high | Moderate to high |
One of the most common CAPA failures I see is organizations that open dozens of corrective actions but almost zero preventive actions. Auditors notice this immediately. A healthy CAPA system has a meaningful proportion of preventive actions, demonstrating that the organization uses data proactively rather than just reacting to fires.
ISO 13485 Clause 8.5.2: Corrective Action Requirements
ISO 13485:2016 clause 8.5.2 requires the organization to take action to eliminate the causes of nonconformities in order to prevent recurrence. The standard is explicit about what this process must include:
- Reviewing nonconformities — including customer complaints
- Determining the causes of nonconformities
- Evaluating the need for action to ensure nonconformities do not recur
- Planning and implementing necessary action, including updating documentation
- Verifying the effectiveness of corrective actions taken
- Ensuring that information on actions taken is documented and submitted for management review
Notice that the standard does not simply require you to fix the problem — it requires you to eliminate the cause. This is the threshold that separates a correction (fixing the symptom) from a true corrective action (eliminating the root cause).
The Difference Between Correction and Corrective Action
This is a foundational distinction:
- A correction addresses the immediate nonconformity — reworking a defective unit, releasing a held lot, or retraining an employee.
- A corrective action addresses why the nonconformity occurred and implements systemic changes to prevent recurrence.
Documenting only the correction, without documented root cause analysis and systemic action, is one of the most frequent major nonconformities cited during ISO 13485 audits.
ISO 13485 Clause 8.5.3: Preventive Action Requirements
Clause 8.5.3 requires the organization to determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. The required steps mirror corrective action:
- Determining potential nonconformities and their causes
- Evaluating the need for action to prevent occurrence
- Planning and implementing necessary action
- Recording results of any action taken
- Reviewing the effectiveness of preventive actions
Preventive action inputs typically come from:
- Risk management outputs (ISO 14971 risk analysis)
- Trend analysis of complaints, nonconforming product, and process data
- Supplier performance data
- Industry surveillance (vigilance reports, MDR data, field safety notices)
- Management review outputs
- Internal audit findings (observations, not just nonconformities)
The CAPA Process: Step-by-Step Framework
While ISO 13485 defines what your CAPA process must achieve, it gives you flexibility in how you structure it. Here is the framework I recommend to clients at Certify Consulting:
Step 1: CAPA Initiation and Scope Definition
Not every quality event warrants a full CAPA. Your procedure should include a risk-based decision about whether to open a CAPA or handle an event through another mechanism (e.g., nonconforming product report, complaint record). Factors to consider include frequency, severity, regulatory implications, and customer impact.
Document your initiation rationale — auditors will ask why some events generated CAPAs and others did not.
Step 2: Problem Statement
Write a clear, specific problem statement before jumping into root cause analysis. A well-written problem statement answers: - What happened? - Where was it detected? - When was it detected? - How often has it occurred? - What is the impact (patient safety, regulatory, financial)?
Vague problem statements like "product quality issues" produce vague root causes and ineffective actions.
Step 3: Containment Actions (Immediate)
Before performing root cause analysis, contain the problem. Containment might include: - Quarantining suspect product - Suspending a process or supplier - Issuing a field safety corrective action (FSCA) - Notifying affected customers
Document containment actions separately from your corrective actions. Auditors should be able to see the timeline clearly.
Step 4: Root Cause Analysis (RCA)
Root cause analysis is where most CAPA systems succeed or fail. The most common RCA tools used in medical device manufacturing include:
| RCA Tool | Best Used For | Complexity |
|---|---|---|
| 5 Whys | Simple, linear problems | Low |
| Fishbone / Ishikawa | Multi-category brainstorming | Low-Medium |
| Fault Tree Analysis (FTA) | Complex failures with multiple paths | High |
| Failure Mode & Effects Analysis (FMEA) | Proactive risk identification | Medium-High |
| 8D (Eight Disciplines) | Systematic team-based analysis | Medium |
| Is/Is Not Analysis | Narrowing scope of investigation | Low-Medium |
Regardless of the tool you use, your RCA documentation must demonstrate that you went deep enough to identify a systemic cause — not just an individual error. "Operator error" is almost never a valid root cause. The real root cause is usually a system that allowed the error to occur.
Step 5: Corrective / Preventive Action Planning
Actions must be: - Proportionate to the risk of the nonconformity - Systemic — addressing the root cause, not just the symptom - Assigned to a specific owner with a defined due date - Documented with expected outcomes
For higher-risk CAPAs, your action plan should also include updates to risk management files, design documentation, validation records, or labeling if applicable.
Step 6: Implementation and Verification
Implementation without verification is one of the most common CAPA failures. ISO 13485:2016 explicitly requires you to verify the effectiveness of actions taken (clauses 8.5.2 and 8.5.3).
Effectiveness verification should be: - Pre-planned — define success criteria before implementation - Time-bounded — set a verification date with enough time to generate meaningful data - Evidence-based — not just a statement that "the action was completed"
Effectiveness criteria might include: zero recurrence of the nonconformity over 90 days, a measurable reduction in defect rate, or passing a follow-up internal audit of the affected process.
Step 7: CAPA Closure and Management Review
Close the CAPA only after effectiveness has been verified. Summarize: - Root cause identified - Actions taken - Evidence of effectiveness - Any updates to documentation, risk files, or training records
CAPAs — both open and closed — must be reported to management review per ISO 13485:2016 clause 8.5.2(f).
CAPA and FDA 21 CFR Part 820
If you sell medical devices in the United States, your CAPA system must also satisfy 21 CFR Part 820.100 (the FDA's Quality System Regulation). The FDA has historically cited CAPA deficiencies as one of the top five most frequently cited QSR violations year after year.
According to FDA inspection data, CAPA deficiencies consistently rank among the top 3 most cited 483 observations across all device manufacturer inspections. This makes CAPA one of the highest-risk areas in any FDA audit.
The FDA's 2024 Quality Management System Regulation (QMSR), which harmonizes 21 CFR Part 820 with ISO 13485:2016, further aligns CAPA requirements between the two frameworks. Organizations that build a robust ISO 13485-compliant CAPA system will simultaneously satisfy FDA expectations.
For a deeper dive into how ISO 13485 aligns with FDA regulatory requirements, see our guide on ISO 13485 and FDA regulatory compliance.
Common CAPA Audit Findings (and How to Avoid Them)
Based on years of pre-audit assessments across dozens of medical device manufacturers, these are the CAPA failures I see most frequently:
1. Corrections Documented as Corrective Actions
The most prevalent finding. Fix: train your team on the correction vs. corrective action distinction and audit CAPA records for evidence of systemic action.
2. Inadequate Root Cause Analysis
RCA stops at the surface level ("operator error," "supplier defect") without identifying the systemic cause. Fix: require at least 5 Whys or Fishbone documentation for every CAPA, with sign-off from a quality engineer.
3. No Effectiveness Verification
CAPAs are closed after implementation without verifying that the problem didn't recur. Fix: build effectiveness criteria and verification timelines into your CAPA form template.
4. Overdue CAPAs
Large backlogs of open CAPAs with no documented justification for delays. Fix: implement a monthly CAPA aging review in your quality metrics and escalate to management review.
5. Missing Preventive Actions
All CAPAs are corrective; no preventive actions are being generated from trend data or risk analysis. Fix: build formal trend analysis reviews into your quality management system and require preventive actions when trends exceed defined thresholds.
6. Poor Linkage to Risk Management
High-risk CAPAs are not connected to the design or process risk management file. Fix: include a risk management file review step in your CAPA procedure for any CAPA with patient safety implications.
CAPA Documentation Requirements
ISO 13485:2016 requires documented procedures for both corrective and preventive action (clauses 8.5.2 and 8.5.3), and documented records of results. Your CAPA system documentation should include:
- CAPA Procedure (SOP) — defines the process, roles, responsibilities, and decision criteria
- CAPA Form / Record — captures each step from initiation through closure
- CAPA Log — tracks all open and closed CAPAs with status, owner, and due dates
- Trend Analysis Reports — documented evidence of proactive preventive action triggers
- Effectiveness Verification Records — documented evidence that actions worked
All CAPA records must be controlled under your document control procedure (ISO 13485:2016 clause 4.2.5).
CAPA Metrics That Actually Matter
Measuring CAPA performance helps you demonstrate continuous improvement during management review and audits. Key metrics to track:
- CAPA cycle time — average days from opening to closure
- On-time closure rate — % of CAPAs closed by due date
- Recurrence rate — % of CAPAs where the same root cause recurs within 12 months
- Effectiveness verification rate — % of closed CAPAs with documented effectiveness evidence
- Corrective vs. preventive ratio — balance between reactive and proactive actions
- Source distribution — which inputs (complaints, audits, NCRs) are generating the most CAPAs
A recurrence rate above 15% is a strong signal that root cause analysis is not going deep enough.
How to Build an Audit-Ready CAPA System
Building a CAPA system that holds up to notified body and FDA scrutiny requires more than a procedure and a form. Here is what I tell every new client:
- Start with a risk-based trigger matrix — document how you decide when to open a CAPA vs. handle an issue through another mechanism.
- Invest in RCA training — your quality team should be skilled in at least two root cause tools.
- Automate your CAPA log — even a simple spreadsheet with aging alerts is better than manual tracking.
- Connect CAPA to management review — make CAPA metrics a standing agenda item.
- Link CAPA to your post-market surveillance system — complaint trends should be actively feeding preventive actions.
For a complete walkthrough of how your CAPA system fits into your broader quality management system, explore our ISO 13485 QMS implementation guide.
If you are building or rebuilding your CAPA system and need expert support, Certify Consulting has helped 200+ medical device manufacturers achieve first-time audit success.
Key Statistics on CAPA in Medical Device Quality Systems
- CAPA deficiencies have ranked among the top 3 most cited FDA 483 observations in medical device inspections for over a decade, making it the highest-risk area in FDA quality system audits.
- ISO 13485:2016 is certified in over 30,000 organizations worldwide, and CAPA clause 8.5.2/8.5.3 nonconformities account for a disproportionate share of audit findings across all certification bodies.
- The FDA's 2024 QMSR (Quality Management System Regulation) formally harmonizes 21 CFR Part 820 with ISO 13485:2016, eliminating the need for dual CAPA systems for US-market manufacturers.
- Root cause analysis failures — specifically stopping at surface causes rather than systemic causes — are cited in approximately 60% of inadequate CAPA observations by experienced quality auditors.
- Medical device recall data from the FDA shows that approximately 8% of Class I recalls involve a CAPA system failure that allowed a known risk to go unaddressed.
Citation-Ready Summary Statements
ISO 13485:2016 clauses 8.5.2 and 8.5.3 require medical device manufacturers to not only fix nonconformities but to identify and eliminate their root causes — a distinction that separates a simple correction from a compliant corrective action.
A CAPA system without documented effectiveness verification does not satisfy ISO 13485:2016 requirements, regardless of how thorough the root cause analysis or action implementation may be.
The FDA's 2024 QMSR harmonization with ISO 13485:2016 means that a robust ISO-compliant CAPA process now simultaneously satisfies U.S. federal regulatory requirements under 21 CFR Part 820.
Frequently Asked Questions About CAPA for Medical Devices
What is the difference between a correction and a corrective action under ISO 13485?
A correction addresses the immediate nonconformity — such as reworking a defective product or retraining an employee. A corrective action goes further by identifying the root cause of the nonconformity and implementing systemic changes to prevent recurrence. ISO 13485:2016 clause 8.5.2 requires corrective action, not just correction.
Does ISO 13485 require both corrective and preventive actions?
Yes. ISO 13485:2016 addresses corrective action in clause 8.5.2 and preventive action in clause 8.5.3. Both are mandatory. A quality system that only generates corrective actions without any preventive actions will be cited as deficient in audits.
How do you verify the effectiveness of a CAPA?
Effectiveness verification requires pre-defined success criteria established before implementation, a defined time period for monitoring, and objective evidence that the root cause has been eliminated and the nonconformity has not recurred. Simply completing the planned action does not constitute effectiveness verification.
What are the most common CAPA findings in ISO 13485 audits?
The most common findings include: treating corrections as corrective actions, inadequate root cause analysis that stops at surface-level causes, missing effectiveness verification, large backlogs of overdue CAPAs, and an absence of preventive actions despite available trend data.
How does FDA 21 CFR Part 820 CAPA compare to ISO 13485?
Both require identification and elimination of root causes, action proportionate to risk, and documented effectiveness verification. The FDA's 2024 QMSR update formally aligns 21 CFR Part 820 with ISO 13485:2016, making the requirements substantially equivalent for manufacturers selling in both the US and international markets.
Last updated: 2026-03-10
Jared Clark
Certification Consultant
Jared Clark is the founder of Certify Consulting and helps organizations achieve and maintain compliance with international standards and regulatory requirements.