CAPA (corrective and preventive action) is the quality-system process for fixing problems at their root cause so they stop recurring. Corrective action eliminates the cause of a nonconformity that already happened; preventive action eliminates the cause of a potential nonconformity before it happens. Both end with verified evidence that the fix worked.

Every plant already does something when product goes wrong. The difference between a plant with a working CAPA process and one without is what happens after the bad pallet is quarantined: does the same failure come back in six weeks, or is the cause actually gone? CAPA is the discipline that closes that gap, and it is also the part of the quality system regulators and auditors read first, because a weak CAPA process means every other weakness stays weak.

What is the difference between corrective and preventive action?

Corrective action reacts to a nonconformity that occurred; preventive action acts on one that has not occurred yet. If a labeler misprinted lot codes and you fix the cause of the misprint, that is corrective. If you then check the three other labelers that share the same setup procedure and fix them before they misprint, that is preventive.

There is a third term people mix in, and the distinction matters on the floor:

Worth knowing for audits: ISO 9001:2015 dropped preventive action as a standalone clause. Its intent moved into risk-based thinking (clause 6.1), and clause 10.2 now covers nonconformity and corrective action. The medical-device standard ISO 13485:2016 still carries separate corrective action and preventive action requirements, so device manufacturers keep both terms alive. Either way, the thinking is identical: find causes, remove them, prove it.

Containment, correction, corrective action, preventive actionFour layers of response, from fastest to deepest1 CONTAINMENT (hours)Stop the bleeding: hold stock, quarantine, stop ship, notify2 CORRECTION (days)Fix the product: rework, sort, re-label, scrap. Cause untouched.3 CORRECTIVE ACTION (weeks)Fix the cause: root cause found, removed, effectiveness verified4 PREVENTIVE ACTION (ongoing)Fix the cause elsewhere: sister lines, similar products, same failure modeMost plants stop at layer 2. CAPA is layers 3 and 4.
The four layers of response. Containment and correction protect the customer today; corrective and preventive action protect every day after.

The 8-step CAPA framework

A CAPA that works walks through eight steps in order. Skipping steps is how plants end up with a folder of closed CAPAs and the same recurring defects.

  1. Identify and document the problem. Capture what happened, where, when, how much product is affected, and how it was detected. A non-conformance report is usually the trigger document. Vague inputs produce vague CAPAs.
  2. Contain it. Protect the customer first: hold suspect inventory, check stock in the warehouse and in transit, add temporary inspection. Containment is not the fix; write it down as a separate action so nobody mistakes it for one.
  3. Assess risk and decide the depth of response. Not every nonconformity deserves a full CAPA. Score severity and recurrence: a one-off cosmetic blemish gets a correction and a note; a repeating failure that can reach customers gets the full process. This triage step is what keeps the CAPA system fast enough to be taken seriously.
  4. Find the root cause. Use a structured method: 5 whys for straightforward problems, a fishbone diagram for messy multi-factor ones. The test of a real root cause: if you remove it, the problem cannot recur by that path. "Operator error" almost never passes that test; the reason the error was possible does. Our guide to root cause analysis covers the methods in depth.
  5. Plan the action. Define what will change, who owns it, and the completion date. Actions that change the process (fixtures, interlocks, revised standards, error-proofing) outlast actions that change people (retraining, reminders, "be careful" emails).
  6. Implement and document. Make the change, update the affected work instructions and training records, and record objective evidence of completion.
  7. Verify effectiveness. After a defined period, check with data that the problem has not recurred and the fix did not create a new one. This step gets its own section below because it is the one most plants skip.
  8. Close and standardize. Close the CAPA with evidence attached, then ask the preventive question: where else could this exact failure mode live? Extend the fix there.
CAPA lifecycle flowThe CAPA lifecycleDETECT +CONTAINTRIAGE:CAPA or not?ROOT CAUSEANALYSISPLAN + IMPLEMENTACTIONSVERIFYEFFECTIVENESSCLOSE +STANDARDIZEeffective: closenot effective: back to root cause
The CAPA lifecycle. The loop-back is the point: a CAPA that fails its effectiveness check reopens, it does not quietly close.

What does FDA 21 CFR 820 require for CAPA?

For medical device manufacturers, CAPA is a regulatory requirement, and the rulebook changed recently. On February 2, 2026, FDA's Quality Management System Regulation (QMSR) took effect, amending 21 CFR Part 820 to incorporate ISO 13485:2016 by reference. The long-standing Quality System Regulation and its familiar 820.100 CAPA section were replaced by ISO 13485's corrective action (8.5.2) and preventive action (8.5.3) requirements, plus FDA-specific additions. If your procedures still cite the old QSR clause numbers, that is an update worth scheduling.

The substance did not get easier. Under either framework, you must document the nonconformity, investigate the cause, take action appropriate to the effect of the problem, verify the action was effective and did not introduce new problems, and keep records of all of it. Outside of devices, the same skeleton appears in ISO 9001 clause 10.2, IATF 16949 for automotive (see our IATF 16949 guide), and GFSI food-safety schemes.

The numbers behind the scrutiny

How do you verify a CAPA actually worked?

An effectiveness check is a planned, dated look at evidence that the problem stopped recurring, done long enough after implementation for the problem to have had a fair chance to come back. It is the difference between "we closed the CAPA" and "we fixed the problem."

Three rules make effectiveness checks real instead of ceremonial:

CAPA effectiveness check timelineA typical CAPA timeline for a weekly-frequency defectDAY 0detect, contain,set pass criterionDAY ~14root causeconfirmedDAY ~30actionsimplementedMONITORING WINDOW (60 days clean data)DAY ~90effectivenesscheck: close or reopenThe pass criterion is written on day 0. The check on day 90 just reads the data.
An effectiveness-check timeline. Scale the monitoring window to how often the defect used to occur.

What makes a corrective action strong or weak?

The strength of a corrective action is how little it depends on humans remembering to do the right thing. The hierarchy runs from strong to weak:

When you review an open CAPA, ask one question of the proposed action: if the person who made this mistake leaves next month, does the fix still hold? If the answer is no, push the action up the hierarchy.

How do you do preventive action in practice?

Preventive action has a reputation for being abstract. In practice it comes from three concrete habits:

None of this requires new theory. It requires the data to be visible, which is why plants that still run quality on paper do corrective action at best and preventive action never: you cannot trend what you cannot see.

Why do CAPA systems fail?

The failure modes are consistent across industries:

Get those four right and CAPA stops being a compliance chore. It becomes the plant's memory: every serious problem gets investigated once, fixed once, and stays fixed.