Corrective and Preventive Action (CAPA) is a structured subsystem of a Quality Management System (QMS) mandated by ISO 13485 and FDA 21 CFR Part 820 to systematically identify, investigate, and resolve product and process nonconformities. The process is bifurcated: corrective action eliminates the root cause of a detected nonconformity to prevent recurrence, while preventive action eliminates the cause of a potential nonconformity to prevent occurrence.
Glossary
Corrective and Preventive Action (CAPA)

What is Corrective and Preventive Action (CAPA)?
A systematic process within a Quality Management System (QMS) to investigate and correct nonconformities and prevent their recurrence, a critical component of post-market quality for Software as a Medical Device (SaMD).
For Software as a Medical Device (SaMD), a CAPA is triggered by sources like Post-Market Surveillance (PMS) data, Medical Device Reporting (MDR) complaints, or internal audit findings. The process requires rigorous root cause analysis, implementation of a fix, and Verification and Validation (V&V) of the action's effectiveness to ensure the correction does not introduce new risk, maintaining the device's safety and Substantial Equivalence (SE).
Core Characteristics of an Effective CAPA System
A robust Corrective and Preventive Action (CAPA) system is the engine of continuous improvement within a QMS. It moves beyond simple firefighting to systematically identify root causes and prevent recurrence, ensuring the safety and effectiveness of Software as a Medical Device (SaMD).
Risk-Based Prioritization
Not all nonconformities are equal. An effective CAPA system uses a risk matrix to evaluate the severity and probability of harm, ensuring resources are focused on issues with the highest patient safety impact. This aligns directly with ISO 14971 risk management principles.
- High-risk issues (e.g., a diagnostic false-negative) trigger immediate action.
- Low-risk issues (e.g., a cosmetic UI glitch) follow a standard workflow.
- Prioritization prevents resource drain on trivial problems.
Rigorous Root Cause Analysis
Correcting a symptom without addressing the source guarantees recurrence. A strong CAPA process mandates formal root cause analysis (RCA) using structured methodologies to drill down to the fundamental process or design failure.
- 5 Whys: Iterative questioning to peel back layers of symptoms.
- Fishbone/Ishikawa Diagram: Categorizing causes into groups like methods, materials, and machinery.
- Fault Tree Analysis (FTA): A top-down, deductive failure analysis for complex systems.
Clear Action and Effectiveness Checks
Every CAPA must define a concrete action plan with assigned owners and due dates. Critically, it must also include pre-defined effectiveness checks to verify that the implemented action actually solved the problem and did not introduce new ones.
- Actions are specific, measurable, and time-bound.
- Effectiveness is verified with objective data, not anecdotal evidence.
- A closed CAPA without a verified effectiveness check is a latent risk.
Full Lifecycle Traceability
A CAPA is not an isolated event; it's a nexus connecting multiple QMS subsystems. An effective system maintains bidirectional traceability to the source nonconformance, related risk management files, and updated design history documents.
- Links to the Design History File (DHF) for design changes.
- Links to the Risk Management File to update hazard analyses.
- Provides a complete audit trail for regulatory inspectors, proving the loop was closed.
Data-Driven Trending and Prevention
The 'P' in CAPA stands for Preventive. A mature system aggregates data from Post-Market Surveillance (PMS) , complaints, and service records to identify negative trends before they become widespread failures. This shifts the organization from a reactive to a proactive quality posture.
- Statistical process control on complaint data.
- Analysis of service and nonconformance records for weak signals.
- Initiating preventive actions based on trend thresholds, not just single events.
Integration with Change Management
A corrective action often results in a design or process change. An effective CAPA system is seamlessly integrated with the change control process to ensure the fix is properly documented, verified, and validated before deployment, especially for SaMD where a software update is the deliverable.
- CAPA output feeds directly into a change order.
- Ensures changes are reviewed by the same cross-functional team.
- Prevents unauthorized 'quick fixes' that bypass design controls.
Frequently Asked Questions
Clear answers to the most common regulatory and operational questions about the CAPA process within a medical device Quality Management System.
A Corrective and Preventive Action (CAPA) is a systematic, documented process within a Quality Management System (QMS) used to investigate, identify, and resolve nonconformities related to a medical device or its manufacturing process. The 'corrective' component focuses on eliminating the root cause of a detected nonconformity to prevent its recurrence, while the 'preventive' component proactively identifies and eliminates the causes of potential nonconformities to prevent their occurrence entirely. For Software as a Medical Device (SaMD), this includes addressing software bugs, algorithmic performance drift, cybersecurity vulnerabilities, and usability errors identified during Post-Market Surveillance (PMS). It is a mandatory subsystem for compliance with ISO 13485 and FDA's 21 CFR Part 820, ensuring continuous improvement and patient safety.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
CAPA is a cornerstone of a mature Quality Management System. These related terms define the regulatory context and operational processes that trigger and are influenced by corrective and preventive actions.
Quality Management System (QMS)
A formalized system documenting processes, procedures, and responsibilities for achieving quality policies. For SaMD, this is typically structured around ISO 13485. CAPA is a mandatory subsystem within the QMS that ensures feedback from post-market surveillance and audits results in measurable product or process improvements.
Nonconformity
The non-fulfillment of a specified requirement. In the CAPA context, this is the triggering event.
- Sources: Audit findings, customer complaints, service records, or manufacturing deviations.
- Grading: Nonconformities are graded by risk (major/minor) to determine the urgency of the investigation.
- Distinction: A nonconformity is the problem; CAPA is the process to fix it and prevent recurrence.
Root Cause Analysis (RCA)
A systematic problem-solving method used during the 'Investigation' phase of CAPA to identify the fundamental origin of a nonconformity, not just its symptoms.
- Common Tools: Fishbone (Ishikawa) diagrams, 5 Whys, Fault Tree Analysis (FTA).
- Goal: Distinguish between special cause variation (a one-off error) and common cause variation (a systemic process flaw) to determine if a preventive action is required.
ISO 14971: Risk Management
The international standard for the application of risk management to medical devices. CAPA and risk management are deeply intertwined.
- Risk-Based CAPA: The severity of the risk associated with a nonconformity dictates the rigor of the CAPA investigation.
- Feedback Loop: If a CAPA reveals a previously unidentified hazard or an unacceptable residual risk, the Risk Management File must be updated immediately to reflect the new benefit-risk analysis.
Post-Market Surveillance (PMS)
The proactive, systematic process of collecting and analyzing real-world data on a device's performance after release. PMS is the primary input source for CAPA in the post-production phase.
- Data Sources: Complaints, Medical Device Reporting (MDR), and scientific literature.
- Trend Analysis: Statistical analysis of PMS data often reveals latent nonconformities that trigger a preventive action before a serious incident occurs.
Design History File (DHF)
A compilation of records that describes the design history of a finished medical device. When a CAPA identifies a design flaw, the DHF must be updated to reflect the design change.
- Traceability: The CAPA provides the justification for the design change, linking the identified nonconformity to the updated design outputs and verification/validation records.
- Audit Trail: Regulators inspect the DHF to ensure CAPA-driven changes were properly documented and re-verified.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us