CAPA – Corrective & Preventive Action
This topic is part of the SG Systems Global regulatory glossary series.
Updated October 2025 • Cross-Industry (Pharma, Devices, Food, Supplements, Cosmetics) • ICH Q10 / 21 CFR / EU GMP / ISO
Corrective & Preventive Action (CAPA) is the structured process for eliminating the causes of actual and potential nonconformities and preventing their recurrence or occurrence. It is the engine room of the quality system: data-driven, risk-based, and documented with audit trails and electronic signatures under 21 CFR Part 11 / EU Annex 11. In mature operations, CAPA is not “a ticket after a deviation”; it is a closed-loop improvement system that ingests signals from deviations, complaints, OOS/OOT results, CPV trends, supplier issues, APR/PQR findings, and audits—then forces disciplined root-cause analysis, proportionate action, and effectiveness verification.
“CAPA is where quality proves it can change the system—not just document the failure.”
1) What It Is
CAPA spans two complementary domains: Corrective Action addresses the causes of an observed nonconformity (e.g., deviation, complaint, audit finding) to prevent recurrence. Preventive Action addresses the causes of a potential nonconformity identified through risk analysis, trending, or change impact to prevent occurrence. Both use the same disciplined scaffolding: problem statement, containment, investigation and root cause, risk assessment, action plan, implementation with controls, and effectiveness checks. In pharmaceuticals and biologics, CAPA is embedded in ICH Q10 and enforced through 21 CFR 210/211 and inspection practice; medical devices (21 CFR 820) explicitly mandate CAPA procedures and records; food and dietary supplements (21 CFR 117, 111) require corrective actions under preventive controls and deviations; EU GMP expects a documented system of corrective and preventive actions tied to management review and product quality review.
Scope & interfaces. CAPA is the nexus between nearly every quality process: it consumes deviations/NCRs (nonconformances), complaints, OOS/OOT investigations, internal/external audits, supplier qualification outcomes, CPV and SPC trends, label incidents, and stability signals; it outputs change controls, training, procedure updates, method or spec changes, re-validation, and supplier remediation. The loop closes when data show the action was effective—ideally visible in APR/PQR and management review.
2) Lifecycle & Governance
A robust CAPA lifecycle follows a consistent, auditable path: trigger → containment → investigation → root cause → risk assessment → action planning → implementation → effectiveness verification → closure → management review.
- Trigger & containment. A signal appears (deviation, complaint, barcode misread trend, cross-contamination event, allergen incident). Immediate containment protects product/patient/customer (holds via bin/location controls, batch quarantine, label print stops).
- Investigation & root cause. Use structured problem solving (5 Whys, fishbone, fault tree, barrier analysis) with data from eBMR, BMR, LIMS, environmental monitoring, equipment status, and audit trails. Distinguish special-cause vs. common-cause variation via SPC.
- Risk assessment. Evaluate severity × occurrence × detectability, downstream impact on released lots (via batch genealogy), and regulatory/reporting obligations.
- Action planning. Define corrective (remove root cause) and preventive (systemic) actions: design changes, recipe/spec edits, weighing tolerances, equipment maintenance, cleaning/labeling enhancements, supplier remediation, training. Route through approval workflow and bind to change control where masters are affected.
- Implementation & verification. Deploy under controlled effectivity; verify with targeted checks, CPV monitoring, or challenge tests.
- Effectiveness check & closure. Pre-define success criteria (signal frequency reduction, zero recurrences over N lots, SPC center/variance shift, right-first-time rise). Close only with evidence; escalate to additional action if not met.
Governance. CAPA ownership typically sits with QA; cross-functional Boards review critical cases, remove blockers, and ensure independence between investigators and approvers. Prioritization uses risk and business impact; aging limits and escalation rules keep momentum. Integration with supplier quality, complaint handling, recall/field-action processes, and management review is explicit, not implied.
3) Root Cause, Evidence Quality & Human Factors
Poor CAPA stems from poor problem definition. State the gap (what, where, when, how big) and the standard (what should have happened). Use precise data: timestamps from audit trails, exact batch ticket steps, scan IDs from barcode validation, and bin movements. Consider human-factors causes: UI friction, ambiguous labels, workload peaks, and alarm fatigue. If the “fix” is “retrain operators,” you probably have not addressed root cause; design out error with interlocks and Poka-Yoke (e.g., block issuing the wrong lot, block starting with obsolete labels, force “Verified Clean” status via cleaning validation before a non-compatible run).
4) Digital Enforcement & Data Integrity
Effective CAPA lives in systems, not slide decks. When a CAPA mandates a change, the environment must make the old behavior impossible or obviously wrong. In V5, CAPA actions that touch recipes/specs, test limits, label art, or workflows are executed through change control and pushed to MES, WMS, labeling, and LIMS integrations. Attempts to weigh or pick non-conforming components are blocked (scanner interlocks), attempts to print superseded labels are blocked (template/version interlocks), and attempts to start batches on equipment without “Verified Clean” status are blocked. All actions and overrides are captured with audit trails and e-signatures under Part 11/Annex 11. The effectiveness check can then query real behaviors, not attestations.
5) Metrics That Matter
- CAPA aging (open > 30/60/90 days) by severity class—signals capacity and priority problems.
- Recurrence rate of source issue within 6–12 months after closure—ultimate effectiveness metric.
- Right-first-time closure (no re-open due to evidence gaps or missed actions).
- Action type mix (design/system changes vs. training/documentation only)—proxy for robustness.
- Time to containment (trigger → hold/quarantine) using bin/location controls and release blocks.
- SPC/CPV trend shift post-CAPA on targeted CQAs/IPCs—evidence of process change.
- Supplier CAPA closure time and correlation to inbound Component Release rejects.
6) Common Failure Modes & How to Avoid Them
- Symptom fixes. “Re-train and remind” without removing error opportunities. Remedy: design interlocks in MES/WMS/labeling; automate checks.
- Data free investigations. No audit-trail review, no time-series analysis. Remedy: pull audit trails, eBMR timestamps, and SPC before concluding.
- Orphan actions. CAPA requires a spec/label change but masters not updated. Remedy: tie every action to a change control record with effectivity.
- Weak effectiveness checks. Closure with “no further issues observed.” Remedy: define quantitative criteria and time windows up front (e.g., “zero mislabels in 10,000 prints” or “CpK ≥ 1.33 for fill weight over 8 weeks”).
- CAPA overload. Everything becomes CAPA; nothing finishes. Remedy: risk-based intake, tiering, and CRB scheduling.
- Supplier reliance without verification. Accepting supplier CAPA with no incoming checks. Remedy: align with Component Release and sampling plans; monitor correlation.
7) How It Relates to V5
V5 by SG Systems Global operationalizes CAPA across production, quality, lab, and warehouse so fixes become the way work happens. In V5 QMS, CAPA records capture problem statements, root-cause analysis, risk ranking, actions, and due dates; the approval workflow enforces role-based sign-off with meaning of signature. When actions touch masters, linked change controls push new versions into MES, labeling, and WMS. Interlocks prevent the old behavior: blocked picks/prints, blocked batch starts, blocked release when CAPA actions are open or effectiveness not verified. For lab-driven CAPA, LIMS integrations via the V5 Connect API synchronize method/spec changes and post OOS/OOT dispositions; the CoA pulls the final, valid results with traceability.
Effectiveness checks become dashboards: CPV charts on yields and CQAs, SPC control limits for key steps, blocked-transaction counts (attempted bad scans or obsolete labels), complaint rates, and right-first-time. These flow into APR/PQR so management can judge whether CAPA is reducing risk or just generating paperwork.
8) FAQ
Q1. What’s the difference between deviation, NCR, and CAPA?
A deviation/NCR records a specific failure. CAPA is the structured project to remove the cause of that failure or its risk. Many deviations will not require a CAPA; high-risk, recurring, or systemic issues should.
Q2. How long should CAPA stay open?
As short as possible without skipping effectiveness checks. Set class-based targets (e.g., 60 days for moderate, 90–120 for major). Use aging dashboards and escalate blockers.
Q3. How do we prove effectiveness?
Define quantitative, time-bound criteria at initiation: recurrence rate, SPC shift, first-pass yield, complaint trend. Verify against live data from eBMR, LIMS, and WMS; if not met, extend or adjust actions.
Q4. Are training and SOP updates good enough for CAPA?
Rarely on their own. They’re adjuncts. Prefer design/system changes (interlocks, tolerances, label governance). If training is used, show why human error was the dominant root cause and how the environment changed to support the behavior.
Q5. How does CAPA relate to change control?
CAPA defines what must change and why; change control governs how the change is evaluated, approved, implemented, and verified in systems and documentation.
Q6. Can supplier CAPA close ours?
Only if risk-appropriate verification shows the supplier action worked (incoming test correlation, reduced component rejects, audit results). Otherwise, keep your CAPA open and escalate.
Related Reading
• Foundations & Governance: 21 CFR Part 11 | EU GMP Annex 11 | 21 CFR 210/211
• Signals & Trending: Continued Process Verification (CPV) | Control Limits (SPC) | APR / PQR
• Execution & Interlocks: Automated Batch Records (eBMR) | Barcode Validation | Bin / Location Management | Cleaning Validation
• Release & Evidence: Batch Release | Certificate of Analysis (CoA) | Change Control