Common Misconceptions About CAPA (Corrective and Preventive Actions)

By /

Common Misconceptions About CAPA (Corrective and Preventive Actions)

Introduction: Why CAPA Matters in FDA Inspections

During FDA inspections of medical device manufacturers, CAPA processes are subject to rigorous scrutiny. This strict examination reflects a fundamental principle of medical device regulation: preventing the recurrence of adverse events, product defects, recalls, and field actions.

Medical devices inherently carry certain risks. If manufacturers were prohibited from selling any device bearing any risk, medical progress would come to a standstill. Accidents should ideally never occur, but achieving zero risk is impossible in reality. What constitutes poor practice is repeating the same mistakes. The FDA emphasizes the importance of “timely remediation”—when complaints, adverse events, or defect reports are received, manufacturers must implement improvements promptly. For this reason, CAPA (Corrective and Preventive Actions) is essential to the quality management system.

Distinction Between Correction and Corrective Action

A critical misunderstanding exists regarding what constitutes corrective action. The terms “correction” and “corrective action” are often conflated, but they are fundamentally different.

Correction addresses the direct cause of a specific defect or nonconformity. Corrective action, conversely, addresses the root cause of a defect to prevent recurrence. The distinction is crucial because correcting the immediate problem without eliminating its root cause leaves the underlying systemic failure intact.

In my consulting work, I have observed two common examples of companies incorrectly treating corrections as corrective actions:

First, design changes that are implemented without first investigating the root cause of the design error. If a design flaw is corrected without understanding why the error occurred in the first place, similar mistakes are likely to be repeated in other areas of the device or process. The mere act of changing a drawing or specification is not a corrective action—it becomes a corrective action only when preceded by thorough root cause analysis that addresses the systemic conditions that allowed the error to occur.

Second, retraining personnel after a defect attributed to human error. While retraining the individual directly responsible may prevent them from repeating the specific mistake, it does not address the systemic conditions that enabled the error. When personnel are reassigned, their replacements will likely repeat the same mistake unless the underlying system is corrected. True corrective action requires identifying and eliminating the conditions that made the error possible—whether through procedure revision, clearer work instructions, improved design, or enhanced controls.

The essence of corrective action is therefore to correctly identify root causes and thoroughly evaluate whether the proposed corrective actions will be effective in preventing recurrence. This requires disciplined use of root cause analysis methodologies such as the “5 Why” technique or failure mode analysis, applied rigorously and systematically.

CAPA Must Follow a Single Pathway

A significant process error I have encountered in several medical device companies is the creation of two separate CAPA pathways—sometimes labeled “Small CAPA” and “Big CAPA” (provisional terminology). This approach is clearly incorrect and contradicts both regulatory requirements and ISO 13485.

Neither FDA regulations nor ISO 13485 require—or permit—dividing CAPA into multiple pathways based on severity. The concept of handling complaints and CAPA through separate workflows based on initial assessment has no basis in regulatory or standards requirements. Event management processes, including complaint handling and CAPA, must operate as a single, unified workflow.

The appropriate practice is to establish a single CAPA pathway and use prioritization as the CAPA investigation progresses and root causes are identified. If investigation reveals that an issue is more serious than initially apparent, the priority should be elevated and resources increased accordingly. Conversely, if investigation determines that an issue is less serious than initially thought, resources may be adjusted downward.

The critical error occurs when companies attempt to assign severity and workflow at the time the CAPA is initiated, based solely on the initial complaint or initial assessment of defect severity. This bifurcation of the process creates multiple problems: it may result in inadequate investigation of issues initially categorized as minor, it introduces inconsistency in the application of CAPA requirements, and it provides no clear mechanism for escalating a CAPA that becomes more serious during investigation. A single, unified CAPA process with dynamic prioritization based on investigation findings is the only approach that satisfies regulatory requirements and ensures consistent quality management.

CAPA Timeliness and Management Accountability

As previously noted, the FDA places strong emphasis on timely remediation. Similarly, ISO 13485:2016 explicitly requires that organizations establish and maintain timeframes (deadlines) for complaint handling and CAPA closure. In practice, however, many medical device companies allow CAPAs to remain open for months, sometimes indefinitely. This state of affairs does not constitute “timely remediation” and creates significant risk during regulatory inspections.

To address this issue, the CAPA procedure I have developed for use by companies includes a monthly review of CAPA progress. CAPAs with delayed closure trigger a mandatory requirement for the responsible department to provide written justification for the delay. This practice reflects the reality of FDA inspection strategy: open CAPAs are consistently challenged during inspections and can result in warning letters or other enforcement actions if they cannot be adequately justified.

Departments should be required to provide, for any CAPA with delayed closure or facing closure difficulties, both a well-reasoned justification for the delay and a clearly documented interim measure or containment strategy. This demonstrates to the FDA that the company has taken the issue seriously, evaluated the risks, and is actively managing the situation even while permanent corrective action remains in progress.

Risk Assessment for Events That Have Already Occurred

When an adverse event occurs, companies initiate a CAPA and, in many cases, perform risk assessment. However, the vast majority of companies apply risk assessment methodology incorrectly in this context.

The error is this: companies often multiply “severity” by “probability of occurrence” when assessing risks for events that have already happened. This application is fundamentally incorrect.

Risk, by definition, refers to something that has not yet occurred. When calculating risk for a potential future event, multiplying severity by probability of occurrence is appropriate. However, once an adverse event has actually occurred, the probability of occurrence is no longer a variable—it is 1 (or 100%). The event has already happened.

To illustrate this point, consider aircraft or train accidents. When an accident occurs, the transportation accident investigation committee does not decline to implement safety improvements on the grounds that the probability of the same accident occurring again is extremely low. The probability is irrelevant because the accident has already happened once. The question shifts from “will this happen?” to “how do we prevent this from happening again?”

In CAPA, when assessing an adverse event or defect that has already been discovered, severity—not probability—is the sole relevant criterion for determining the urgency and priority of corrective action. Severity reflects the potential harm caused by the observed nonconformity. If an adverse event has already occurred, the probability that it has occurred is 1.0 (certainty), and risk assessment methodologies based on probability multiplication are inapplicable.

This distinction is critical because it avoids the logical trap of downplaying the urgency of addressing an actual failure simply because its prior probability was estimated to be low. An event that has occurred has priority equal to its severity; no probability adjustment is needed or justified.

Preventive Action and Risk Management: A Unified Concept

The definition of preventive action is “the elimination of the cause of a potential nonconformity.” Because a “potential nonconformity” is, by definition, something that has not yet occurred, preventive action is fundamentally another term for risk management.

This has important implications for quality management practice. It means that preventive action should not be a reactive response triggered only after an adverse event, defect, or failure occurs. Rather, risk management—and therefore preventive action—must be embedded continuously into normal business operations: design, manufacturing, servicing, distribution, and all other aspects of the product life cycle.

This evolution in thinking is reflected in the structural changes to ISO 9001:2015. In the previous version, ISO 9001:2008, “preventive action” appeared as a discrete clause with specific requirements. In ISO 9001:2015, the clause on preventive action was removed, not because preventing problems became less important, but because the standard was restructured to integrate “risk and opportunity” thinking throughout all clauses. Rather than existing as a separate, compartmentalized activity, risk management is now woven throughout the quality management system.

For medical device manufacturers, this means that robust risk management during design (as required by ISO 14971), careful process design with failure mode considerations, and ongoing monitoring and measurement systems are all forms of preventive action. They represent the company’s commitment to identifying and eliminating potential causes of nonconformity before they result in failures or adverse events.

The integration of risk management into daily operations—rather than viewing it as a reactive response to problems that have already occurred—is the modern interpretation of preventive action and the foundation of a truly effective quality management system.

Conclusion

CAPA processes are far more than administrative checkboxes in a quality management system. They reflect a company’s commitment to learning from its mistakes, improving its processes, and ultimately protecting patients. When CAPA is implemented thoughtfully—with rigorous root cause analysis, disciplined risk assessment, and genuine commitment to systemic improvement—it serves its intended purpose: preventing recurrence and supporting timely remediation of defects.

The misconceptions discussed in this article—conflating correction with corrective action, dividing CAPA into separate pathways, applying risk assessment incorrectly to past events, and treating preventive action as a reactive activity—all represent departures from regulatory intent and standards requirements. Understanding these distinctions, and implementing CAPA with this understanding, is essential for building a quality management system that satisfies regulatory requirements and genuinely protects patient safety.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top