Corrective and Preventive Action (CAPA)

What is CAPA?  

Corrective and Preventive Action (CAPA) is a fundamental quality process for medical device manufacturers including SaMD.  From the regulations it is really not that complicated.  

21 CFR 820.100 reads:

(a) Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action. The procedures shall include requirements for:

(1) Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems;

(2) Investigating the cause of nonconformities relating to product, processes, and the quality system;

(3) Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems;

(4) Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device;

(5) Implementing and recording changes in methods and procedures needed to correct and prevent identified quality problems;

(6) Ensuring that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems; and

(7) Submitting relevant information on identified quality problems, as well as corrective and preventive actions, for management review.

(b) All activities required under this section, and their results, shall be documented.

CAPA is simply the process of finding and correcting quality problems. The CAPA process is the foundation of your quality management system. It is the continuous improvement part of quality management system.

Within the CAPA process we start with reviewing all of the problems that come out of the quality system data. Major problems go straight to CAPA for investigation, and other quality problems not as major will be documented and monitored. Once an issue is identified that requires an investigation, the CAPA system is used to conduct that investigation.

The goal of the CAPA investigation is to first find the root cause of the problem. After that, then define the corrective action and preventive action for that problem. Implement those actions and verify that they are effective in mitigating the quality problem. Every action taken has to be documented.

CAPA Evaluation

It is relatively easy to ensure one has the correct steps in the CAPA process.  Namely:

  • Have a defined procedure
  • Be clear on the mechanism for quality system data to funnel into CAPA consideration, including (and most importantly at times) trend analysis
  • Ensure appropriate attention to working and closing CAPA – be timely
  • Be honest with effectiveness evaluation of corrections and preventive actions


  1. Staff does not make everyone aware of potential quality problems.  This can be cultural – are you creating an atmosphere that encourages and celebrates reporting quality issues?  Or the opposite – do people who point out quality problems get “shutdown.”  Encourage reporting but also encourage that all reports be accompanied by suggested solutions.
  2. Good things are happening – but changes and updates are not tied to the CAPA records.  Generally this is an awareness problem and CAPA project management problem.  This can also be an issue with software related CAPA.
  3. Too much CAPA – unnecessarily creating CAPA records for issues that are not endemic or systematic;  could be a one-off type problem.  Solution:  use trend analysis.
  4. Too little CAPA – avoiding the truth when clear trends are present.  This is a receipt for failure.  Create a quality culture.
  5. Overly complicated effectiveness evaluations – effectiveness evaluation should be commensurate with problem.  Avoid complicated and unnecessarily long term effectiveness evaluations.  Guide:  effectiveness should show at the granularity of the trend analysis.

See our post on Software CAPA Can be Challenging.

About the author

Joel is a quality systems associate and researcher for SoftwareCPR. After working for 7 years in the medical field with the United States Army, he now spends his time exploring tech development and programming. He is the father to two wonderful children and avid fisherman.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  June 5-7, 2024
Boston, MA

Email to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

Register Now



Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: Tuesday, January 23 through Friday, January 26 from at 11 am – 3 pm EST

Virtual via Zoom

Registration Link:

Register Now



Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
Partners located in the US (CA, FL, MA, MN, TX) and Canada.