Medical Device Corrective and Preventive Action (CAPA): FDA 21 CFR 820.100 Complete Guide

What FDA Requires Under 21 CFR 820.100

Corrective and Preventive Action (CAPA) is one of the most frequently cited sections in FDA Form 483 observations and Warning Letters. Under 21 CFR 820.100, medical device manufacturers must establish and maintain procedures for implementing corrective and preventive action — and those procedures must cover a specific set of activities that FDA inspectors are trained to evaluate.

The regulation requires manufacturers to: analyze processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product or other quality problems. That analysis must include appropriate statistical methodology where necessary to detect recurring quality problems.

The critical distinction between corrective action and preventive action: corrective action addresses problems that have already occurred, while preventive action addresses potential problems identified before they occur. FDA expects manufacturers to operate both halves of the CAPA system — not just respond to problems after the fact, but proactively identify and eliminate potential failure modes.

Under QMSR (21 CFR Part 820, effective February 2, 2026), the CAPA framework aligns with ISO 13485:2016 Section 8.5.2 and 8.5.3, consolidating the legacy 820.100 requirements into a risk-based quality management system structure. The substantive requirements remain essentially the same, but manufacturers must now demonstrate integration of CAPA with their broader risk management process under ISO 14971.

The Eight Required Elements of a CAPA Procedure

FDA inspectors use a structured evaluation framework when reviewing CAPA systems. A CAPA procedure that is missing any of the eight required elements will generate 483 observations. The eight elements are:

1. Analyze data to identify nonconformances. Your procedure must define what data sources feed the CAPA system — complaints, audit findings, nonconforming product reports, process monitoring data, service records, and trend analysis outputs. Many manufacturers list these sources in their CAPA SOP by name with defined review frequencies.

2. Investigate the cause. The investigation element requires identification of the root cause of the problem, not just its symptoms. FDA expects documented evidence that root cause analysis was performed. Acceptable methods include fishbone diagrams, 5 Whys analysis, fault tree analysis, and failure mode analysis. The method used must be proportionate to the risk level of the nonconformance.

3. Identify the action needed. Once root cause is established, the procedure must define how corrective or preventive actions are identified. Actions must address the root cause, not just the symptom. A CAPA that "retrained the operator" without addressing why the operator made the error — process design, inadequate work instructions, unclear acceptance criteria — will not satisfy FDA.

4. Verify or validate the corrective and preventive action. This is where most CAPA systems fail in practice. Actions must be verified or validated before implementation to ensure they will not introduce new problems and will be effective in addressing the root cause. Process changes require validation; procedural changes require verification that the change was implemented as intended.

5. Implement and record changes. Any changes to methods, procedures, specifications, or processes that result from CAPA must be documented and records must be updated. Changes that affect validated processes require re-validation.

6. Ensure information on quality problems is disseminated. Information about quality problems and CAPA actions must be disseminated to the individuals directly responsible for assuring product quality and preventing such problems.

7. Submit relevant information for management review. CAPA status, trends, and effectiveness data must feed the management review process. This creates the audit trail FDA expects to see between your CAPA system and management review records.

8. Document all activities. Records must be maintained for all CAPA activities: the problem identified, the investigation, the root cause determination, the action taken, the verification or validation of effectiveness, and closure.

Root Cause Analysis: What FDA Actually Expects

The most common CAPA deficiency FDA cites is inadequate root cause analysis. Inspectors are specifically trained to look for superficial investigations that stop at symptoms rather than causes. A CAPA stating that a nonconformance occurred because "the operator was not following the procedure" and concluding with "operator was retrained" will receive a 483 observation in virtually every case.

FDA expects the investigation to ask: Why did the operator not follow the procedure? Was the procedure unclear? Was the procedure not accessible at the point of use? Was the training inadequate? Was there a workstation design issue that made compliance difficult? Was there a management system failure that allowed noncompliance to go undetected? Each of these potential root causes requires evaluation and documentation before the investigation can be closed.

Practical root cause documentation standards: Your investigation record should document: what happened (the nonconformance description), when and where it was detected, who detected it, what the potential impact is on product quality and patient safety, what immediate containment actions were taken (if any), the root cause analysis method used, the evidence reviewed, any alternative root causes that were evaluated and rejected, and the final root cause determination with supporting justification.

Using statistical methods: 21 CFR 820.100(a)(1) explicitly requires statistical methods where necessary to detect recurring quality problems. This means your CAPA system must include trend analysis of complaint data, nonconforming product rates, audit findings, and other quality metrics. When trends indicate a systemic problem, a CAPA must be opened even when no individual event meets your nonconformance threshold.

CAPA vs. nonconformance: Not every nonconformance requires a CAPA. Your procedure should define the criteria for escalating a nonconformance to the CAPA system — typically based on risk (using ISO 14971 criteria), recurrence, potential regulatory impact, or customer impact. The escalation criteria must be documented and consistently applied.

Effectiveness Verification: The Step Most Systems Get Wrong

FDA requires that corrective and preventive actions be verified or validated before implementation, and that the effectiveness of implemented actions be confirmed. In practice, the effectiveness check is the step most CAPA systems either skip entirely or execute poorly.

An effectiveness check is not the same as verifying that the action was completed. If your CAPA action was to revise Work Instruction WI-022, the effectiveness check is not "WI-022 was revised and approved." The effectiveness check is evidence that the revision actually prevented recurrence of the original problem.

Defining the effectiveness check upfront: Best practice is to define the effectiveness check criteria at the time the CAPA action is planned — before implementation. The check should specify: what data will be reviewed, over what time period, and what constitutes evidence of effectiveness. A CAPA for an operator error might specify: "Review 30 consecutive production records for the affected process over 60 days post-training; zero recurrence of the specific error constitutes effectiveness."

Timing of effectiveness checks: The effectiveness check period must be long enough to generate meaningful data. For low-frequency processes or events, a 30-day effectiveness window may not produce enough data points to confirm effectiveness. Your procedure should address how the effectiveness window is determined based on process frequency and event occurrence rates.

When CAPAs are not effective: Your procedure must address what happens when an effectiveness check indicates the CAPA did not achieve its objective. The typical path is re-opening the CAPA, revisiting the root cause analysis, and developing a revised action plan. FDA expects to see this loop closed, not abandoned.

Linking effectiveness to CAPA closure: No CAPA should be closed without documented evidence of effectiveness verification. FDA inspectors will request CAPA records and specifically look for evidence of effectiveness checks before closure. A high percentage of closed CAPAs without effectiveness documentation is a systemic indicator of a deficient CAPA system.

CAPA System Integration: Inputs, Outputs, and Management Review

A CAPA system that operates in isolation — receiving inputs only from formal nonconformance reports — is almost certainly under-performing and may generate a 483 observation for inadequate data analysis. FDA expects CAPA inputs to span all quality data sources in your QMS.

Required CAPA input sources: - Customer complaints and MDR reports - Nonconforming product and materials - Internal audit findings - Supplier audit findings and supplier performance data - Process monitoring and statistical process control data - Field service records - Returned product analysis - Management review outputs - Post-market surveillance data

Each input source must have a defined review frequency and an escalation path to the CAPA system. Many manufacturers use a monthly quality data review meeting to evaluate trends and make CAPA opening decisions.

CAPA as a management review input: The management review process under 21 CFR 820.20(c) and ISO 13485:2016 Section 9.3 requires that CAPA status and trends be reviewed by management at defined intervals. Your CAPA reporting to management review should include: number of CAPAs opened by category, average cycle time, percentage with completed effectiveness checks, and any overdue or escalated CAPAs. Management review records must reflect that this data was reviewed and that any necessary actions were assigned.

CAPA metrics and trending: FDA increasingly expects manufacturers to demonstrate that their CAPA system is effective at the systemic level — not just that individual CAPAs are being processed. Metrics such as CAPA recurrence rate (percentage of CAPAs addressing problems that previously had CAPAs), average time to root cause completion, and CAPA-to-complaint ratio are useful indicators of systemic CAPA effectiveness.

Linking CAPA to risk management: Under QMSR and ISO 13485:2016, CAPA outputs that affect product risk must be evaluated through your ISO 14971 risk management process. If a CAPA identifies a new failure mode or changes the estimated probability or severity of a known risk, your risk management file must be updated. This linkage must be documented in your CAPA record.

---

Ready to implement this? Download our CAPA Toolkit.