Revisiting CAPA for a More Modern (and Effective) Approach

Corrective action and preventive action (CAPA) policies and procedures have now been a mainstay for years in most life science companies’ quality management systems due to regulation adherence to standards. Across our business, and with our clients, we are seeing an increased emphasis on implementations across several standards and regulations, which address the needs of products marketed across multiple regulatory regions. With impressive technological advances, it is natural that companies are starting to develop products that span multiple sectors, and even multiple regulatory pathways. A not too far-fetched example might be a product that has a companion diagnostic via a software platform that determines the disease, is then treated by a personalized formulation of a stem cell allograft that utilizes a drug delivery system to targeted dose at a specific site, all of which would then be monitored by a health maintenance app on a mobile device. In this scenario, applying a CAPA / quality event system that is fit for purpose for all aspects of this cross-platform therapy is quite involved, with at least four regulations/standards to consider (medical devices, HCT/Ps, biologics, GAMP, etc.).

So, the question then becomes; what standard/regulation do you use for your CAPA system and how do you cover all the others? The answer is nuanced, but generally the use of ISO 13485 Section 8 and 21 CFR 820.100 for medical devices should be considered and all others applied in a ‘belts and braces’ approach. This paper will utilize 21 CFR 820.100 as the basis for CAPA system, then reconcile with ISO 13485 and finally build a highly efficient, best practices process.

The use of the 820.100 regulation as a starting point is crucial because of the level of detail available in regulation and the prescriptive nature of the process, as described in the 820.100 section. Interestingly, most CAPA systems I come across, including non-medical device, in fact utilize the these regulations as a basis for their systems. I’ll explain more below.

Regulations and Constraints

The CAPA process is generally constricted by the regulations and standards as applied to our industry; to this day FDA still issues more 483 observations for CAPA deficiencies than any other category.  FDA’s 21CFR820.100 requires the following elements, in order (paraphrased):

  • Investigate for root cause
  • Identify action needed to correct / prevent occurrence and reoccurrence as well as apply a correction if needed
  • Verify/validate that the corrective / preventative action is effective
  • Implement the solution via documented processes and procedures
  • Disseminate the information to appropriate staff
  • Submit for management review, and
  • Document

We will therefore use these elements and this process as the baseline for constructing our CAPA system. Since we want to ensure compliance to other regions/standards, we should also look at the other most common regulation, ISO 13485, Section 8, which is paraphrased below:

  • Determine cause
  • Evaluate action needed to prevent recurrence or occurrence
  • Planning / documenting action to implement
  • Verifying that the action meets requirements
  • Reviewing effectiveness, and
  • Document

Now, before we get too deep into parsing the meaning of each step, and then building our new system, a few cautions need to be stated on the definitions of words used in both the FDA regulation and the ISO standard. The words correction, corrective action and preventive action are too often misused or misunderstood. Simply put, a correction addresses an immediate problem, a corrective action is intended to prevent recurrence and a preventive action is intended to prevent occurrence in the first place. The following example may best illustrate the differences.

Imagine a production area where a technician enters the room to find one tank of reagent spilling on the floor via an open valve. A correction would be to immediately stop the spill, perhaps closing an open valve. This is immediate, and often precedes opening a CAPA process (you wouldn’t want to wait to stop the reagent from continuing to spill). Later, after a CAPA process is initiated, a corrective action may be to put a lock or sensor on the valve to prevent/alarm when the valve is open. A preventive action would be to apply the same lock/sensor on the other tanks, even though (so far) no leaks have occurred on those tanks.

Another area of confusions seems to be around verification versus validation. Again, a simplistic way to differentiate is to consider the above leaking tank. After the corrective action or preventive action has been proposed, the effectiveness of the proposed solution can be determined via two approaches; perform a thorough/complete verification of the solution on a pre-production small scale, or off-line tank, or perform a statistical validation on the full-scale tank and process.

Therefore, a verification implies smaller scale, off-line testing with a generally thorough (100%) check of all the functionality, or a validation implies testing on the full-scale process, where a statistical approach is used to ensure reliability of key/critical parameters. By the way, FDA does not require one versus the other, but you must justify your approach as appropriate for your scenario.

This article is related to the Toolkit:
9 Free Resources to Boost Your CAPA Management System
To get the full details, please view your free Toolkit.

Parsing Meaning

So we have two CAPA processes to understand; FDA’s 820.100 and ISO 13485’s Section 8. We will have to clearly reconcile both processes. Before that occurs, we have to parse the meaning of each to understand how we can combine. Let’s start with FDA’s regulation (again paraphrased):

  • Investigate - FDA wants you to find the ‘smoking gun’, or root cause. Since this may not always be as obvious as the open valve in the example above, there are some good tools to use that help this process, the scope of which is beyond this paper, but include the 5 Whys, Fault Tree Analysis, Is / Is Not Comparators, etc. Note that ‘red herrings’ may confuse and multivariate issues may cloud the root cause. Ultimately, the root cause must explain ALL of the observed facts.
  • Identify actions needed to correct / prevent - FDA wants you to propose a solution that solves the root cause. The key words here are propose (do NOT yet implement) and solve (MUST fix the problem). By the way, it is perfectly reasonable to propose several solutions at this point.
  • Verify/validate effectiveness (see above for the differences between verify and validate) before the selected solution is implemented, FDA wants you ensure your solution will actually fix the problem and there are no unintended consequences.
  • Implement the solution. Once the proposed solution has been verified or validated, the solution can now be actually implemented. Yes, FDA wants you to work though the first three steps BEFORE you actually implement.
  • Disseminate. As part of implementation, you must ensure appropriate functions are notified of the solution to ensure impact assessments and proper vetting has occurred.
  • Submit for management review. Top management (leadership) MUST be notified and made aware of the CAPA process and solutions/implementations.
  • Document - goes without saying.

Now let’s parse the ISO Standard (also paraphrased):

  • Determine cause. The same as the FDA process; find the”‘smoking gun.”
  • Evaluate action to prevent recurrence or occurrence. Same as FDA; propose solution(s).
  • Planning / documenting action to implement/ A little bit different; the standard asks for a plan to verify then implement.
  • Verifying. Note the that standard does not differentiate between verification or validation.
  • Reviewing effectiveness. Similar to the regulation but without mention of management review; check effectiveness (did the problem get solved) must be performed.
  • Document. Same as the FDA regulation.


Fortunately, both the standard and the regulation have reasonably similar approaches, which enables a modern CAPA system that can be compliant to both. Generally, the best approach is to start with the FDA regulation, since it is a bit more prescriptive than the standard, as use ‘belts and braces’ approach to the ensure compliance to the standard. We are therefore left with the following steps that cover both:

  • Investigate for root cause
  • Identify/evaluate actions needed to correct / prevent - but do it as a planning exercise
  • Verify/validate effectiveness
  • Implement the solution but check for effectiveness
  • Disseminate
  • Submit for management review, and
  • Document

Based on the above reconciled steps, the CAPA process would look something like this:


Great. Now we have a CAPA process compliant to both the regulation and the standard. But is it efficient and do you get high performance? Not yet.


So, now that we have reconciled the differences between the regulation and standard, how best can we build this into an efficient, highly effective CAPA system? After all, a compliant system doesn’t mean it works well, and in fact can suffer from the opposite; ‘death by CAPA’, which will happen if all quality events / issues are treated the same (‘gumming up the works’). This is where a risk-based approach really helps; it prioritizes the efforts on those issues that require the most attention. Quite simply, if every issue that enters the CAPA process is treated with equal importance, then the system will quickly grind to a halt and important issues will be overlooked (due to lack of visibility). Essentially, a risk-based approach to your CAPA process prioritizes the important issues. The best approach I’ve seen, which by the wa, is built right into MasterControl’s CAPA module, is to apply a gateway assessment soon after the onset of the CAPA process to determine how big of an issue is being considered. The improved steps in the process then look like this:

  • Perform an initial risk-based assessment; determine whether to formally investigate as a CAPA
  • Investigate for root cause
  • Identify/evaluate actions needed to correct / prevent - but do it as a planning exercise
  • Verify/validate effectiveness
  • Implement the solution but check for effectiveness
  • Disseminate
  • Submit for management review, and
  • Document

And here is what the process flow looks like:


By implementing a risk-based gateway soon after the discovery and initial information are provided, a reasonably accurate risk assessment can be made that determines the criticality of the issue, the immediacy, the course of action and even whether an MDR or recall needs to be initiated. Note that if during the course of the root cause investigation additional or different information is made available that changes the risk assessment, and updated assessment may be needed.

So now, even though we added another step to the process, by sorting according to priority, we can focus on those quality issues that truly need attention. You will even find that a considerable number of issues that enter the process never actually become a CAPA. You may ask 'what then becomes of the non-CAPAs?' Well, quite simply, they are documented and closed out without a formal CAPA investigation.


Let's use our production area tank example under two different scenarios; the first is when the tank is on the production line and contains a caustic solution related to the sterilization of the device and it is leaking rapidly on to the floor. If you perform an initial risk-based assessment, you will find that the safety of both the end user and production personnel may be impacted and that there is a high probability of occurrence; therefore, the risk is high. I'm guessing that there are few readers that would argue that this is not a CAPA. 

Now, let's change the scenario to where the tank in a remote area and is only dripping small drops of a non-sterile soapy cleaning agent used to prior to a final rinse. The safety impact is minimal to the end user and production personnel. The probability of the tank running dry is low; therefore, the overall risk is low. Does this belong in a formal CAPA investigation? Not likely. Instead, the issue is documented with the low risk assessment, turned over to engineering for a repair and closed out.


If you follow the classic Pareto principle, approximately 80% of quality events that enter the system ought to be low risk and closed out after an initial gateway risk assessment. The other 20% are indeed higher risk and should be formally investigated for root cause (and follow the rest of the CAPA process). Think about how that might change your CAPA system and free up valuable resources to actually investigate the quality events that really matter.

2014-blog-author-photo-peter-knauer (3)

Peter Knauer is a partner with MasterControl's Quality Compliance Consulting (QCC). Peter is co-founder and managing partner of Sage BioPartners, a boutique regulatory, compliance and CMC consulting firm for medical devices, drug products and combination products. You can contact Peter at or

[ { "key": "fid#1", "value": ["GxP Lifeline Blog"] } ]