FDA CAPA Requirements: Ensuring Compliance and Quality Control

fda requirements for CAPAHaving a repeatable procedure for Corrective and Preventive Action (CAPA) is a key FDA requirement for medical device developers. But it’s a requirement that many fail to deliver on effectively.

The need for CAPA procedures to form part of your QMS is written into FDA QSR regulation Regulation, CFR Part 820.

But one of the most common reasons for the issuance of the FDA’s 483 warning letter (a notice to highlight any potential regulatory violations found during an inspection) is ‘inadequate Corrective and Preventive Action’ procedures being in place.

So what is actually required from your CAPA process and why do device developers so often get it wrong?

See our CAPA solution in action

What does the FDA say about CAPA?

"The purpose of the corrective and preventive action subsystem is to collect information, analyze information, identify and investigate product and quality problems, and take appropriate and effective corrective and/or preventive action to prevent their recurrence.”

Your procedures must include:

  • Data collection and analysis
  • Investigating the cause of the non-conformities
  • Identifying the actions needed to correct and prevent recurrence
  • Verifying/validating the corrective and preventive action
  • Implementing and recording resulting changes in methods and procedures
  • Ensuring that information is shared with those responsible for quality in the organisation
  • Submitting relevant information for management review
  • Documenting all the above activities.

1. Are you collecting and analysing information?

FDA guidelines mean that you should have both reactive and proactive processes in place to trigger CAPA procedures when required. 

As well as having a process for capturing and dealing with complaints and feedback from product users, you also need to have procedures in place to routinely check for potential non-conformities in the way you work and your end-products.  In all cases, you should be systematically analysing collected data to detect recurring quality problems.

QSR 820 says developers should be:

“Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems”

2. How are you investigating?

Once a non-conformity has been identified and logged, you must evaluate whether it is a systemic issue.  If it is found to be a systemic problem then the CAPA investigation process should be triggered.

The purpose of the investigation is to understand the root cause of the non-conformity - in other words why did the issue happen?  Don’t confuse the symptoms of the problem with the cause. You need to keep digging to see what lies behind each identified failure. 

Every CAPA investigation needs

  • A clear objective
  • A repeatable and documented procedure to be followed
  • A cross functional team who will contribute to the investigation

The investigation should result in a report or record that documents your findings, including:

  • A full description of the nonconformity event
  • A root or probable cause for the nonconformity event
  • Provide objective evidence supporting conclusions
  • Description of statistical methods used
  • Final risk assessment

3. Can you identify actions to correct and prevent reoccurrence?

This is the whole point of a CAPA process. Based on the investigation and evidence, you need to document the corrective steps that need to be taken to resolve the issue - and then what steps will need to be taken to prevent it from recurring. But these preventive steps are often the most complex and far-reaching changes that need to be made, as they often require a fundamental alteration to established quality processes. Failing to take and document preventive action is an area where organisations often fall down, leading to a 483 letter.

Why corrective action management goes wrong - and what to do about it?

4. Verifying and/or validating the corrective and preventive action

Your CAPA responsibilities clearly do not end when required actions are identified and implemented within your system. You need to have the tools to verify and validate that they are working. In implementing new processes and procedures you may even have introduced new problems that could result in fresh problems. How does your QMS trigger and control validation activity following changes? Without the tools to automate and remind the business of the need to do this, these vital checks can end up being neglected.

5. Implementing and recording resulting changes in methods and procedures

SOPs and other quality documentation need to be fully updated to reflect any changes in the way you work following a CAPA investigation. Again, do you have the automated change control procedures in place to set these updates in train? 

6. Ensuring that information is shared with those responsible for quality in the organisation

Your QMS should be the single source of truth for the entire organisation around quality practice. But even if you dutifully update and republish dense SOPs documentation to alert workers to required changes on the manufacturing floor you may not be successful in changing behaviour. Choosing a graphical quality management system (gQMS) where SOPs and dependencies are depicted in a ‘top layer ‘of flow charts and diagrams can help workers quickly engage with changing requirements, while storing more detailed documentation behind deep links into your DMS. Your QMS should also have the ability to alert and notify specific users when contents relevant to them are updated.  There’s no point making a change if no one knows they have been made, or where to review them.

7. Submitting relevant information for management review

Do you have the systems in place to formally share details of CAPA investigations and recommended changes with senior management? The FDA need to see evidence of how they are alerted and kept apprised of developments. 

Does your eQMS help management routinely monitor progress against plans, as well as effectiveness metrics and outcomes?

8. Documenting all the above activity

And, of course, it goes without saying that all of the activity above should be documented in real-time and auditable on demand.


As you build your SOPs to create fail-safe development processes that make quality the ‘way you do things’, you shouldn’t ignore your CAPA responsibilities. These are the ongoing efforts that your business must make to capture and monitor systemic quality issues as they arise, as well as attempting to prevent others from occurring in the first place.

To be really effective, awareness of the importance of CAPA needs to be imprinted at a cultural level across your organisation. When you are developing your QMS you should be looking for digital tools that allow you to embed and automate CAPA processes into the way you work from the very beginning of a project.

Cognidox CAPA report template

Tags: FDA Compliance

Joe Byrne

Written by Joe Byrne

Joe Byrne is the CEO of Cognidox. With a career spanning medical device start-ups and fortune 500 companies, Joe has over 25 years of experience in the medical device and high-tech product development industries. With extensive experience in scaling businesses, process improvement, quality, medical devices and product development, Joe is a regular contributor to the Cognidox DMS Insights blog where he shares expertise on scaling and streamlining the entire product development cycle, empowering enterprises to achieve governance, compliance, and rigour.

Related Posts

Understanding FDA 21 CFR Part 11: A Guide for Life Science Developers

WTH is FDA 21 CFR Part 11? That’s a question many life science developers wanting to access the US ...

5 Challenges in Building a Pharmacovigilance System Master File

Managing the integrity and accessibility of a PSMF (Pharmacovigilance System Master File) is a key ...

FDA Regulation Update: QMSR and ISO 13485:2016 Explained

At last! It’s happened! The FDA has announced the date for the publication of its new Quality ...