CAPA stands for Corrective and Preventive Action. It’s one of the most fundamental concepts in pharmaceutical quality management and one of the most consistently misunderstood.

The corrective part addresses a quality problem that has already occurred: you’ve identified a failure, and you’re taking action to fix it. The preventive part addresses risk: you’ve identified something that could fail, and you’re taking action before it does. In practice, most CAPAs in a drug manufacturing environment are corrective. True preventive CAPAs, opened proactively based on risk or trend data rather than in response to a failure, are less common but just as important.

When Is a CAPA Opened?

CAPAs aren’t opened for every quality event. A CAPA is warranted when the issue is significant enough that a structured, tracked response is needed, and when there’s a root cause that requires systemic correction to prevent recurrence. Not every deviation needs a CAPA. Many minor deviations are resolved with direct corrective action (retraining, remediation of the immediate issue) without needing a formal CAPA.

CAPAs are typically opened from:

  • Deviations with significant or recurring root causes
  • Out-of-specification or out-of-trend results that indicate a systemic issue
  • Internal or external audit findings
  • Customer or regulatory complaints
  • Product recalls or field alerts
  • FDA 483 observations or warning letter items
  • Recurring deviation patterns identified during trending
  • Management review conclusions that identify quality gaps

The decision to open a CAPA vs. handle an issue through the deviation process alone is a quality judgment. It should be documented. “This deviation was handled within the deviation record without a CAPA because [reason]” is acceptable. Leaving it unaddressed because no one decided either way is not.

The CAPA Process Step by Step

Step 1: Problem Statement Describe the issue being addressed specifically and factually. “Data integrity concerns identified during internal audit of CDS system” is vague. “Internal audit conducted 2026-05-15 identified that HPLC instrument AU-04 had audit trail disabled for sequence integration events, affecting 47 sequences processed between 2026-01-01 and 2026-05-15” is specific. The problem statement determines the scope of the entire CAPA.

Step 2: Risk Assessment Before diving into root cause analysis, assess whether the identified issue poses immediate product or patient risk. If it does, the CAPA process includes immediate containment actions taken concurrently with the full investigation, not after. Risk assessment documents whether: affected product is in distribution, further risk exists if the problem continues, and what the likely impact on product quality or safety is.

Step 3: Root Cause Analysis This is where most CAPAs succeed or fail. Root cause analysis must identify the systemic reason why the failure occurred, not just describe what happened. Common structured methods:

5-Why Analysis: Ask “why” repeatedly until you reach the systemic failure. The audit trail was disabled (why?) because an IT upgrade reset audit trail settings (why?) because the change control process for IT upgrades didn’t include a validation impact assessment checkpoint (why?) because the change control SOP was written before the DI policy was implemented and wasn’t updated (root cause: change control SOP gap).

Fishbone Diagram (Ishikawa): Categorizes potential causes into branches (People, Process, Equipment, Materials, Environment, Management) and works through each branch to identify contributing factors. Useful for complex failures with multiple contributing causes.

Failure Mode and Effects Analysis (FMEA): More structured, assesses severity, occurrence, and detectability for each identified failure mode. More commonly used for process design risk assessment than for single-event CAPA investigations.

Whatever method you use, the root cause conclusion must be supported by evidence. “Root cause: human error” supported by no further investigation is not a root cause.

Step 4: Corrective Actions What will be done to fix the identified failure and its direct effects? Corrective actions are specific, have owners, and have due dates. They address the root cause, not just the symptom.

Poor corrective action: “Retrain personnel on audit trail requirements.” Better corrective action: “Revise the change control SOP to include a validation impact assessment checkpoint for all IT system changes. Train all IT and validation personnel on the revised SOP within 30 days of SOP approval.”

The difference: the first doesn’t address the systemic gap. The second does.

Step 5: Preventive Actions Are there similar issues elsewhere that haven’t caused a problem yet but could? If the audit trail was disabled on one HPLC instrument due to an IT upgrade, check the other instruments. If the change control SOP gap affected HPLC instruments, could it have affected other validated systems? Preventive actions extend the fix to adjacent risks.

Step 6: Implementation and Verification Each action has a due date and an owner. QA tracks completion. When an action is completed, it’s verified: the SOP was revised and approved (check the document control system), training was completed (check training records), the audit trail is now correctly configured (verify in the system).

Step 7: Effectiveness Check This is where many CAPA systems fail. An effectiveness check is a planned assessment, conducted after implementation, that verifies the CAPA actually solved the problem. It’s not enough to complete the actions. The actions must have worked.

For the audit trail CAPA example: conduct a follow-up audit of HPLC systems 6 months after the revised change control SOP is implemented. Verify no new audit trail issues were introduced during IT changes during that period. If there are no new issues, the CAPA is effective. If there are, the CAPA is reopened and the root cause analysis is revisited.

Effectiveness checks need defined criteria upfront: what does “effective” look like? How will it be measured? When will it be assessed? These questions should be answered when the CAPA is opened, not when it’s time to close it.

CAPA Timelines

CAPAs need due dates for root cause completion, action completion, and effectiveness check. FDA doesn’t specify exact timelines in regulation, but inspection experience makes the expectations clear:

  • Root cause analysis: generally within 30 days of CAPA opening for standard CAPAs, faster for critical ones
  • Action items: typically 30-90 days, depending on complexity
  • Effectiveness checks: typically 3-12 months after implementation, depending on the issue and what metric will demonstrate effectiveness

CAPAs without due dates, or with due dates that keep getting extended without justification, are findings. An aging CAPA with a root cause that says “under investigation” after 90 days tells an inspector the organization isn’t taking it seriously.

What Makes a CAPA System Work vs. Just Exist

Companies have CAPA systems. Not all of them work.

A CAPA system that works:

  • Has clear ownership (every CAPA has an owner who is accountable for completion)
  • Tracks due dates and escalates overdue items
  • Has meaningful effectiveness checks with defined criteria
  • Is reviewed regularly at management review (CAPA aging, overdue items, effectiveness failures)
  • Gets closed only when actions are verified and effectiveness is confirmed

A CAPA system that just exists:

  • Has CAPAs open for years with no substantive progress
  • Has effectiveness checks that say “effective” with no data to support the conclusion
  • Has root causes that are generic (“training,” “human error”) across all events
  • Has actions that are completed on paper but haven’t changed anything in practice
  • Is never discussed at management review

The FDA has seen both. An inspector reviewing your CAPA system can tell the difference within 30 minutes by reading a random sample of records.

21 CFR 820 vs. 211 Requirements

For drug manufacturers, CAPA requirements appear in 21 CFR 211 through the requirements for investigation of failures (211.192) and the overall quality system requirements. For medical device manufacturers, 21 CFR 820.100 explicitly requires a CAPA procedure that includes: analysis of data to identify existing and potential causes of nonconforming product, investigation of the cause, identification and implementation of corrective and preventive action, verification that the corrective action is effective, and documentation of all activities.

The ISO 9001 and ISO 13485 frameworks (the latter for medical devices) also have explicit CAPA requirements that align with the FDA framework. The ICH Q10 Pharmaceutical Quality System describes the CAPA system as one of four key knowledge management tools along with the management review, change management, and continual improvement processes.

CAPA vs. Deviation: When to Use Which

A deviation documents that something happened and resolves the immediate situation. A CAPA addresses the root cause systemically.

Think of it this way: a deviation is the incident report; a CAPA is the improvement program. For a single, minor deviation with an obvious and non-systemic cause, a deviation record with documented corrective action is sufficient. When the investigation reveals that the same problem has happened before, or the root cause is a systemic gap in a procedure or system, a CAPA is warranted.

The deviation record and the CAPA record are separate but linked. The deviation documents what happened and the immediate response. The CAPA, if opened, documents the systemic investigation and long-term fix. Both can reference each other by number.

Using CAPA Data for Continuous Improvement

Aggregated CAPA data is one of the most valuable sources of information about the health of a quality system. At management review, CAPA metrics worth tracking:

  • Number of CAPAs opened by source (deviation, audit, complaint, trending)
  • Number of CAPAs overdue
  • Average time to root cause completion
  • Effectiveness check pass rate
  • Recurring root causes (same root cause appearing in multiple CAPAs)

Recurring root causes are the most actionable signal. If five CAPAs over the past year all trace back to “change control SOP inadequate” or “training not completed before procedure implementation,” that’s a quality system gap that needs structural correction. The individual CAPAs addressed individual events; the pattern requires a systemic response.