CAPA: Corrective and Preventive Actions

What MDR and IVDR confuse and why you should not talk about CAPA.

The FDA (in 21 CFR part 820 – QSR) and ISO 13485 differentiate between corrective actions, preventive actions and corrections.

Unfortunately, the MDR and IVDR do not clearly differentiate between these concepts. Some manufacturers also believe they can combine corrective and preventive actions into CAPAs. But this is just as imprecise as the lack of distinction between “corrections” and “corrective actions.”

This article defines the terms and helps you avoid deviations in audits and even illegal marketing of devices caused by this confusing terminology. It lists the regulatory requirements and uses examples to explain how to differentiate between the pairs “corrective action” and “correction” and “corrective action” and preventive action.”

1. Correction


ISO 9000 defines the term correction as follows:

Definition: Correction

“action to eliminate a detected nonconformity”

Source: ISO 9000:2015 3.12.2


Examples of corrections are:

  • Shortening a component that is too long
  • Fixing a software bug
  • Classifying a medical device in the right class

2. Corrective action

a) Corrective actions in ISO 9000 and ISO 13485


ISO 9000 defines the term corrective actions as follows:

 Definition: Corrective action

“action to eliminate the cause of a nonconformity and to prevent recurrence”

Source: ISO 9001:2015 3.12.2

Therefore, the aim of a corrective action is to identify and eliminate not just nonconformities but also the causes of nonconformities that have already occurred and to ensure that such nonconformities do not occur again.


Colloquially, actions intended to ensure that a nonconformity does not occur again are often referred to as preventive actions. However, according to the definition, this is not a preventive action.

Examples of corrective actions

Examples of corrective actions include:

  • Changing an incorrect setting on a production machine, e.g., CNC milling machine, so that the component is the correct length in the future
  • Revising the coding guidelines after a software error to ensure the error (probably) does not re-occur
  • Establishing a new data protection strategy after a data loss
  • Making further training mandatory for persons before they classify devices
  • Automating the final inspection so that it is no longer possible to forget to document the results of the inspection

b) Corrective actions according to the MDR and IVDR

Unfortunately, the MDR has not adopted the definition of corrective action from ISO 9000 and ISO 13485:

Definition: Corrective action

“action taken to eliminate the cause of a potential or actual non-conformity or other undesirable situation;”

Source: MDR Article 2

This definition is very unfortunate because it mixes the elimination of the cause of a potential nonconformity and the elimination of the cause of an existing nonconformity. Elimination of a potential nonconformity is usually considered a preventive action.

Regrettably, the MDR and IVDR also use the term “field safety corrective action” in addition to the term “corrective action.”

 Definition: Field safety corrective action

“corrective action taken by a manufacturer for technical or medical reasons to prevent or reduce the risk of a serious incident in relation to a device made available on the market;”

Source: MDR Article 2(68)

Although neither the MDR nor the IVDR define the term preventive action, they do use it. But only in the phrase “corrective and preventive action.” Why this mixing of the two terms is a problem is explained later in this article.

3. Preventive action


ISO 9000 and ISO 13485 do define the term preventive action:

Definition: Preventive action

“action to eliminate the cause of a potential nonconformity or other potential undesirable situation.”

Source: ISO 9000:2015 3.12.1

Interestingly, ISO 9000:2015 defines the term, but ISO 9001:2015 no longer requires any preventive actions.

Examples of preventive actions

Preventive actions are aimed at avoiding future nonconformities that have not yet occurred.

These actions can relate the design of a device to improve its safety, e.g.:

  • Selecting another material or other components
  • Using a more legible font on a user interface
  • Introducing an input value range check
  • Restricting the intended purpose
  • Changing the system architecture, e.g., introducing a watchdog

Other actions might relate to quality management, e.g.:

  • Ensuring better qualification of employees
  • Improving a process, such as the development process
  • Introducing additional code reviews
  • Revising a checklist for reviewing software requirements
  • Introduction of a new metric for static code analysis

If you were to take one of these actions to prevent a nonconformity that has already occurred from occurring again in the future, these actions would not be preventive actions, they would be corrective actions. In another words:

you can’t take a preventive action if the problem has already occurred. If, after a problem has occurred, you want to make sure it doesn't occur again, that would be a corrective action not a preventive action, even though both have the same aim: to prevent a future problem.

Because most manufacturers only react when problems occur, there are a lot of corrective actions and not many preventive actions.

4. Regulatory requirements for corrective and preventive actions

a) ISO 13485

In section 8.5 (“Improvement”), ISO 13485 requires both corrective actions (section 8.5.2 “Corrective action”) and preventive actions (section 8.5.3 “Preventive action”).

Manufacturers must define processes and keep records for them and provide an explanation if they do not take any corrective or preventive actions in response to a customer complaint.

b) FDA

The FDA requires corrective and preventive actions in 21 CFR part 820.100. The requirements are essentially the same as those in ISO 13485.


The FDA is mainly replacing 21 CFR part 820 with a reference to ISO 13485, making the requirements for corrective and preventive action (CAPA) completely the same.


c) MDR and IVDR

The MDR and, likewise, the IVDR establish requirements for corrective and preventive actions. These include:

  • The QM system must cover these actions (Article 10)
  • This system must be audited by the notified bodies
  • Manufacturers must implement necessary corrective actions (Article 10)
  • Distributors, importers and authorized representatives must cooperate with this process
  • Manufacturers must report field safety corrective actions to the authorities
  • They are also obliged to decide which corrective and preventive actions are necessary using post-market data (e.g., Article 83 et seq.). or IVDR Article 78 et seq.)
  • In the case of clinical investigations, sponsors must report corrective actions


The GHTF has published a guidance document named Quality management system -Medical Devices - Guidance on corrective action and preventive action and related QMS processes, which is worth reading. The document refers back to ISO 9000 for the definitions but to the 2005 edition.

Some of the suggestions on how to implement the requirements of ISO 13485 (e.g., on root cause analysis) can also be found in the Practical Guide to ISO 13485. Auditors use both documents.


The GHTF Guidance is free of charge; the ISO Guide costs approx. 100 EUR.

5. The CAPA problem

The term CAPA stands for “corrective action and preventive action.” However, this combining of the two types of action is problematic for several reasons.

a) Problems with standard operating procedure

Some companies create a standard operating procedure (SOP) with the title “CAPA”, in which they (only) define one common procedure for both corrective actions and preventive actions. Sometimes, they even require a preventive action for each corrective action.

In doing so, they pursue the idea that it must be ensured ("prevented") that the problem does not occur again in the same or similar manner. But this form of "prevention" is not a preventive but a corrective action.

Another reason tThere can also not be only one procedure is that because the types of measures differ regarding inputs, roles, or regulatory requirements.

Different inputs

The employee suggestion scheme, the list of future standards and laws, technological trends, and key performance indicators point to possible future non-conformities. However, they are not yet to be understood as information that points to already existing non-conformities and whose causes the manufacturer would, therefore, hasve to eliminate as corrective action.

This means, for example, that the employee suggestion scheme is part of the process with the preventive actions but not the subject of the process with the corrective actions.

Different activities and roles

A corrective action requires different or additional activities and, in some cases, roles than a preventive action:

  • Root cause analysis for corrective action may differ from the one for preventive action: In a corrective action, it is known that there is a nonconformity. Therefore, it is also sure that at least one cause exists for it. In a preventive action, it is necessary to look for the causes of a potential nonconformity.
  • A decision on whether the authorities have to be notified usually only has to be taken for corrective actions.


There are many methods for finding causes of errors that have already occurred, e.g., the 5-Why method. These methods can usually also be applied to find the causes of errors that have not yet occurred: "How could XY happen?"

Different regulatory requirements

ISO 13485 has very precise requirements for handling nonconformities. This means that manufacturers have less freedom when it comes to corrections and corrective actions than they do with preventive actions.

If the MDR and IVDR had adopted the definitions contained in ISO 13485, we wouldn’t need to consider whether corrective actions as defined by the MDR and IVDR are the same as corrective actions and preventive actions combined as defined by ISO 13485.

b) Problem with “non-significant changes”

The MDR grants transitional periods for “non-significant changes.” However, according to the MDCG, what is considered a non-significant change depends on whether it is related to a corrective action.

Do preventive actions now also have to be considered “non-significant design changes”? This would open a whole range of possibilities for manufacturers. Or does the MDR now make a precise distinction between corrective and preventive actions?

Precise definitions of terms and consistent use of these terms would prevent such discussions.

6. Conclusion

The clear separation of corrections, corrective actions and preventive actions makes sense and manufacturers should pay attention to it. Combining the two as one single "CAPA" process is not appropriate.

The fact that the EU regulations (MDR, IVDR) of all things destroy this conceptual integrity is annoying.


The Johner Institute helps you establish streamlined MDR-, IVDR- and FDA-compliant QM systems that pass audits and inspections.


Prof. Dr. Christian Johner

Find out what Johner Institute can do for you

A quick overview: Our


Learn More Pfeil_weiß

Always up to date: Our


Learn More Pfeil_grau

Privacy settings

We use cookies on our website. Some of them are essential, while others help us improve this website and your experience.