CAPA stands for Corrective and Preventive Action — the structured process of investigating a problem, fixing its root cause, and stopping it (or something like it) from happening again. It's one of the most common requirements across ISO 9001, ISO 13485, ISO 22000, IATF 16949, and FDA-regulated industries, because it's the mechanism that turns "we found a problem" into "we fixed the system that allowed the problem."
Corrective vs. preventive action — what's the difference?
The two halves of CAPA solve different timing problems:
- Corrective action responds to a problem that has already happened — a nonconformity, a customer complaint, a failed audit finding. It asks: why did this occur, and how do we stop it recurring?
- Preventive action responds to a problem that hasn't happened yet but plausibly could — a near-miss, a trend in your data, a risk you've identified. It asks: what could go wrong here, and how do we stop it before it does?
Most modern quality systems treat preventive action as part of risk-based thinking (ISO 9001:2015 folded formal "preventive action" into clause 6.1, risk and opportunity), but the discipline is the same: don't just patch the symptom.
What triggers a CAPA?
A CAPA can be raised from almost anywhere in your management system:
- An internal or external audit finding
- A nonconformity report (NCR) from production or receiving inspection
- A customer complaint
- An incident or near-miss
- A risk assessment that surfaces an unacceptable risk
- Trend data — recurring minor issues that, together, signal a systemic problem
The standard CAPA workflow
Different standards phrase it differently, but the underlying steps are consistent:
- Identify and describe the problem. What happened, when, where, and what's the immediate containment (stop the bleeding first)?
- Investigate the root cause. Not the first plausible explanation — the actual underlying cause. Tools like 5-Whys or a fishbone diagram help you get past symptoms.
- Plan the action. What will you change — a process, a training requirement, a design, a specification — and who owns it, by when?
- Implement. Make the change. Update the documents it touches.
- Verify effectiveness. This is the step people skip, and it's the one auditors check first. Did the action actually work? Give it enough time to know, then check.
- Close and record. A CAPA isn't closed because the due date passed — it's closed because you have evidence the fix worked, and (increasingly) a signed sign-off.
The step most teams get wrong: closing a CAPA the moment the "action" is done, without verifying it actually solved the problem. An auditor's favourite question is "how do you know this fixed it?" — if the answer is "we assume so," that's a finding waiting to happen.
Why CAPA programs fail (and how software fixes it)
The most common failure mode isn't lack of effort — it's fragmentation. The NCR lives in one spreadsheet, the CAPA in another, the evidence in an email thread, and the verification step... nobody remembers to do it. By the time the external audit rolls around, someone spends two days reconstructing a paper trail that should have existed all along.
A connected CAPA system fixes this by keeping the whole chain — the source (audit finding, NCR, complaint, risk), the investigation, the actions, the verification, and the sign-off — as one linked record, not five disconnected artifacts. AI can also draft a first-pass root-cause analysis and suggested actions from the nonconformity context, so investigation starts from a grounded draft instead of a blank page.
What good CAPA closure looks like
Increasingly, regulated industries require an electronic signature to close a CAPA — not just a status change, but a compliant sign-off (21 CFR Part 11-style: re-authentication, a stated reason for the signature, and a permanent record of who closed it, when, and why). That turns "closed" from a checkbox into evidence.
See CAPA Software in ISOXPERT Compliance360 →