The CAPA process is the closed loop a regulated quality system runs after a confirmed nonconformance or an identified risk. It is the corrective action loop with three additions: an explicit screening step, an explicit risk assessment, and a type field (Corrective / Preventive). See the broader CAPA guide and the comparison to corrective action.
What the CAPA process owns
The CAPA process handles inputs from multiple sources: internal NCRs, customer complaints, field returns, SCARs, audit findings (internal, registrar, customer), regulatory observations (FDA 483, MDR/Vigilance), trending alarms, FMEA actions, near-misses, and lessons learned. Not every input becomes a CAPA — the screening step decides.
Step 1 — Intake and screening
Every input enters a queue. The CAPA owner (usually QA) screens against documented criteria: severity, frequency, regulatory implication, customer exposure, and risk class. Inputs above the threshold open a CAPA; the rest are dispositioned in the source system (NCR closure, complaint response, FMEA action without CAPA escalation).
Screening criteria are themselves a CAPA element auditors check. Inconsistent screening — opening CAPAs for one operator's NCRs and not another's — is a common finding. Document the criteria, review them annually.
Step 2 — Risk assessment
ISO 13485 and FDA 21 CFR 820 expect an explicit risk assessment on every CAPA. Severity, occurrence, and detection scoring (the same fields used in PFMEA) determine the CAPA priority and influence the effectiveness criteria and verification window. For medical devices, the risk assessment also drives the MDR / 21 CFR 803 reportability review even when the conclusion is non-reportable.
Step 3 — Containment (corrective CAPAs)
Same as the corrective action process: stop the bleeding. Define scope (lots, locations, quantities), execute, document with evidence. Preventive CAPAs typically skip this step since no defect has occurred.
Step 4 — Root cause analysis
Both occurrence and detection causes. Method scaled to severity: 5 Whys for lighter cases, Fishbone for multi-factor problems, 8D or formal Fault Tree for safety- or regulatory-critical issues. See CAPA root cause analysis for the methods regulated systems use most often.
Step 5 — Action plan
Each root cause gets one or more actions with named owners, due dates, and the evidence required for closure. Engineering controls and poka-yoke at the top of the hierarchy; training and procedure updates alone almost always fail effectiveness in regulated audits.
Step 6 — Implementation
Execute the plan. For medical devices, any change affecting the Design History File (DHF) or Device Master Record (DMR) routes through formal design or document change control before going live. For automotive, any change affecting PPAP routes through customer change notification.
Step 7 — Verification of implementation
Independent confirmation that each action was actually done. Separate signature, separate date. Auditors specifically look for this split — collapsing it into a single sign-off is one of the most common findings.
Step 8 — Effectiveness check
After the defined window, verify against the criteria written up front. See the dedicated effectiveness verification guide. For FDA-regulated CAPAs, the effectiveness data and disposition are explicit audit targets.
Step 9 — Closure and read-across
Close with all evidence attached. Read-across is mandatory in IATF 16949 and AS9100; FDA- regulated CAPAs typically perform a similar "extent of effect" analysis identifying other products, lots, or processes affected by the same cause.
FAQ
What are the steps in the CAPA process?
Intake and screening, risk assessment, containment (corrective only), root cause analysis, action plan, implementation, verification of implementation, effectiveness check, and closure with read-across.
What is the difference between the CAPA process and the corrective action process?
CAPA adds explicit risk assessment, a screening step to decide whether a CAPA is warranted, and a type field for corrective versus preventive. The action steps themselves are identical. See CAPA vs corrective action.
What standards require a documented CAPA process?
ISO 9001 (clause 10.2), IATF 16949, AS9100, ISO 13485, and FDA 21 CFR 820.100. The depth of documentation and effectiveness rigor scales with the regulation.
How long does a CAPA typically stay open?
From intake to closure including the effectiveness window, 90 to 180 days is typical. CAPAs open longer than 180 days without status are themselves a common audit finding.
Who owns the CAPA process?
Quality Assurance owns the process and the CAPA log. Each individual CAPA is owned by a named engineer responsible for the affected product, process, or supplier.
Download the CAPA-ready template
Free Word and PDF. Maps to every step in this process, including risk assessment.
Get the template