CAPA – Corrective & Preventive Action

This topic is part of the SG Systems Global regulatory glossary series.

Updated October 2025 • Cross‑Industry (Pharma, Devices, Food, Supplements, Cosmetics) • ICH Q10 / 21 CFR / EU GMP / ISO • QMS + MES/LIMS/WMS Interlocks

Corrective & Preventive Action (CAPA) is the structured process for eliminating the causes of actual and potential nonconformities and preventing their recurrence or occurrence. It is the engine room of the quality system: data‑driven, risk‑based, and documented with Audit Trails and electronic signatures under 21 CFR Part 11 / EU Annex 11. In mature operations, CAPA is not “a ticket after a deviation”; it is a closed‑loop improvement system that ingests signals from deviations/NCs, complaints, OOS/OOT results, CPV trends, supplier issues (NCMR, SCAR), APR/PQR findings, and audits—then forces disciplined root‑cause analysis, proportionate action, and effectiveness verification.

“CAPA is where quality proves it can change the system—not just document the failure.”

1) What It Is

CAPA spans two complementary domains: Corrective Action addresses the causes of an observed nonconformity (e.g., deviation, complaint, audit finding) to prevent recurrence. Preventive Action addresses the causes of a potential nonconformity identified through risk analysis, trending, or change impact to prevent occurrence. Both use the same disciplined scaffolding: problem statement, containment, investigation and root cause, risk assessment, action plan, implementation with controls, and effectiveness checks. For devices, 21 CFR 820 explicitly mandates CAPA; for pharma/biologics, CAPA sits inside ICH Q10 and is enforced via 21 CFR 210/211 and EU GMP; for foods/supplements, corrective actions arise under 21 CFR 117/111 as part of preventive controls and deviations.

Scope & interfaces. CAPA consumes deviations/NCRs, complaints, OOS/OOT, internal/external audits (Internal Audit), supplier qualification outcomes, CPV/SPC trends, label incidents (Label Verification), and stability signals; it outputs Change Control, training, SOP updates, method/spec edits, re‑validation, and supplier remediation. The loop closes when live data show the action was effective—in APR/PQR and management review.

2) Lifecycle & Governance

A robust CAPA lifecycle follows: trigger → containment → investigation → root cause → risk assessment → action planning → implementation → effectiveness verification → closure → management review.

• Trigger & containment. Signals include deviation, complaint, barcode misreads, cross‑contamination, allergen incidents. Immediate containment uses holds (bin/location), batch quarantine, label print stops.
• Investigation & root cause. Use 5 Whys, fishbone, fault tree, barrier analysis; pull data from eBMR/BMR, LIMS, EM, equipment status, Audit Trails; distinguish special‑ vs common‑cause via SPC.
• Risk assessment. Rate severity, occurrence, detectability; scope impact with genealogy; note reportability obligations.
• Action planning. Define corrective and preventive actions: design changes, spec edits, weighing tolerances, equipment maintenance, label governance, supplier remediation, training—routed through Approval Workflow and bound to Change Control where masters are touched.
• Implementation & verification. Deploy with effectivity; verify via targeted checks, CPV monitoring, or challenges.
• Effectiveness & closure. Pre‑define success criteria (recurrence rate, SPC headroom, first‑pass yield). Close only with evidence; escalate if unmet.

Governance. QA owns CAPA; a cross‑functional board removes blockers and enforces independence between investigators and approvers. Risk and business impact drive priority; aging limits and escalation keep momentum. Integration with supplier quality, complaint handling, field action/recall, and management review is explicit.

3) Root Cause, Evidence Quality & Human Factors

Define the gap (what/where/when/how big) and the standard (what should have happened). Use precise data: timestamps from Audit Trails, exact Batch Ticket steps, scan IDs from Barcode Validation, and bin movements. Probe human factors: UI friction, ambiguous labels, workload peaks, alarm fatigue. If the “fix” is “retrain,” you probably have not addressed root cause; design out the error via interlocks (block wrong lot issue, obsolete label print, or starting without “Verified Clean” under Cleaning Validation).

4) Digital Enforcement & Data Integrity

Make old behavior impossible. When CAPA changes masters, push versions through Change Control into MES, WMS, labeling, and LIMS. Block picks/prints/batch starts that violate the new rule (hard‑gating). Capture actions and overrides with Audit Trails and e‑signatures per Part 11/Annex 11. Verify effectiveness by querying executed data, not declarations.

4A) Triggers—Concrete Sources That Should Feed CAPA

• Process & Execution: repeated holds in eBMR, recurring hard‑gates, frequent line clearance failures.
• Lab & Stability: borderline trends, OOT signals, method ruggedness failures from TMV, stability issues (Stability Studies).
• Packaging & Labels: mislabels from Label Verification, template drift seen in Document Control, UDI/GTIN errors (UDI, GTIN).
• Warehouse & Logistics: wrong‑lot picks flagged by Barcode Validation, recurring Pack & Ship exceptions, Hold reversals.
• Supplier & Materials: rising NCMR counts, CoA mismatches at Component Release, missed NOC from suppliers.
• Regulatory & Audits: observations from FDA/EU, internal audits, third‑party ISO findings (ISO 9001/13485).
• Customer & Field: complaint clusters, returns (RMA), recall near‑misses (recall readiness).

4B) Sector‑Specific Notes

Medical Devices. Tie design CAPA to DHF/DHR; update risk files per ISO 14971 and check reportability. Food. Link to HACCP and FEFO; control allergens and TNE. Pharma/Biologics. Integrate with Process Validation, PPQ, and Stability.

4C) Documentation—What Belongs in a CAPA Record

• Problem statement + link to source (deviation, complaint, audit, trend).
• Containment description + evidence (photos, logs, Hold transactions).
• Investigation notes, data analysis (SPC, MSA), and audit‑trail evidence.
• Risk assessment and impact scope using genealogy.
• Action plan (what/owner/due/verification) with linked Change Control, revised SOPs, labels, or specs.
• Implementation evidence; training completion tied to Training Matrix.
• Effectiveness criteria and results; note to management review.

4D) Advanced Analytics—Finding Systemic Issues Early

Use proportional control charts on mislabel rate per 10k prints; apply PAT signals to detect drift before OOS; correlate supplier defects with transport and Temperature Mapping; mine EPCIS events for cold‑chain breaks; feed insights into MOC and CAPA intake for proactive fixes.

5) Metrics That Matter

• CAPA aging (open > 30/60/90 days) by severity—capacity and priority signal.
• Recurrence rate of the source issue 6–12 months post‑closure—ultimate effectiveness.
• Right‑first‑time closure (no re‑opens for missing evidence or actions).
• Action mix (design/system vs. training/doc only)—robustness proxy.
• Time to containment (trigger → Hold).
• SPC/CPV shift post‑CAPA on targeted CQAs/IPCs.
• Supplier CAPA timeliness vs. inbound rejects at Component Release.

5A) RACI—Who Does What

5B) Timelines—Sane but Strict

Example service levels: containment within 24 hours (Critical) / 72 hours (Major); root‑cause hypothesis within 7 business days; action plan approved within 14; implementation within 30–60 depending on change scope; effectiveness check at 30/60/90 days with objective criteria. Tie extensions to Approval Workflow so delays are visible and justified.

6) Common Failure Modes & How to Avoid Them

• Symptom fixes. “Retrain and remind” without removing error opportunities. Prefer interlocks and automated checks.
• Data‑free investigations. No audit‑trail review, no time‑series analysis. Pull Audit Trails, eBMR timestamps, and SPC before concluding.
• Orphan changes. CAPA requires a spec/label change but masters not updated. Tie every action to Change Control with effective dates.
• Weak effectiveness checks. Closure with “no further issues observed.” Define quantitative criteria and windows up front.
• CAPA overload. Everything becomes CAPA; nothing finishes. Use risk‑based intake and tiering.
• Supplier reliance only. Accepting supplier CAPA without verification. Align with Component Release sampling and correlation.

7) How It Relates to V5 by SG Systems Global

V5 QMS. CAPA records capture problem statements, RCA, risk ranking, actions, and due dates; the Approval Workflow enforces role‑based signatures. When actions touch masters, linked Change Control pushes new versions into MES, labeling, WMS, and LIMS. Interlocks prevent the old behavior: blocked picks/prints, blocked batch starts, blocked Release when CAPA actions are open or effectiveness not verified. For lab‑driven CAPA, LIMS integrations via the V5 Connect API synchronize method/spec changes and post OOS/OOT dispositions; the CoA pulls the final, valid results with traceability.

Dashboards. Effectiveness turns visible: CPV charts, SPC headroom, blocked‑transaction counts (attempted bad scans or obsolete labels), complaint trend, right‑first‑time—all feeding APR/PQR and management review.

Related Reading
• Foundations & Governance: 21 CFR Part 11 | EU GMP Annex 11 | QMS | Policies & Governance
• Signals & Trending: CPV | Control Limits (SPC) | APR / PQR | X‑bar/R
• Execution & Interlocks: Automated Batch Records (eBMR) | Barcode Validation | Bin / Location Management | Cleaning Validation
• Release & Evidence: Batch Release | Certificate of Analysis (CoA) | Change Control | Record Retention & Archival