CAPA under MDR is the process a manufacturer uses to eliminate the causes of nonconformities (corrective action) and the causes of potential nonconformities (preventive action), so that the same problems do not recur and do not appear elsewhere in the system. The legal obligation sits in MDR Article 10(9). The proportionate quality management system. And MDR Article 10(12), which requires manufacturers to take the necessary corrective action when a device may not be in conformity. The harmonised standard that describes the mechanics is EN ISO 13485:2016+A11:2021, specifically clause 8.5.2 for corrective action and clause 8.5.3 for preventive action. For a startup, the discipline is the same as for a large manufacturer; the depth scales with the risk class and type of device.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • CAPA is two distinct obligations written into EN ISO 13485:2016+A11:2021 as clauses 8.5.2 (corrective action) and 8.5.3 (preventive action). Corrective action addresses causes of nonconformities that have already happened. Preventive action addresses causes of potential nonconformities that have not yet happened.
  • The MDR does not use the word "CAPA," but MDR Article 10(9) requires a proportionate QMS that manages corrective and preventive actions, and MDR Article 10(12) requires manufacturers to take corrective action when a device may not be in conformity.
  • The CAPA sequence is: detect the nonconformity, contain the impact, determine the root cause, define corrective and preventive actions, implement them, verify effectiveness, and close the record. Every step produces a specific piece of evidence.
  • CAPA connects upstream to the detection sources (PMS, vigilance, internal audits, complaints, nonconforming product handling under clause 8.3) and downstream to management review and continual improvement.
  • Effectiveness verification is what separates a real CAPA from a paperwork exercise. A CAPA closed without an effectiveness check under clause 8.5.2 is an audit finding waiting to happen.
  • A startup does not need a separate CAPA tool or a twelve-page form. It needs the thinking behind the steps, documented honestly, on whatever medium the team already uses.

CAPA in the MDR and ISO 13485 framework

Start with where CAPA lives in the legal and technical structure, because this is where most startups get the relationship wrong.

The legal obligation is in the MDR. MDR Article 10(9) requires every manufacturer of medical devices to establish, document, implement, maintain, keep up to date, and continually improve a quality management system that is proportionate to the risk class and type of device. The paragraph then lists the aspects the QMS must cover, and one of those aspects, in the paragraph's own words, is "management of corrective and preventive actions and verification of their effectiveness." (Regulation (EU) 2017/745, Article 10, paragraph 9.) CAPA is therefore not an optional add-on. It is a named required component of the QMS every manufacturer must run.

MDR Article 10(12) adds a direct regulatory trigger. Where manufacturers consider or have reason to believe that a device which they have placed on the market or put into service is not in conformity with the Regulation, they must immediately take the necessary corrective action to bring that device into conformity, withdraw it, or recall it, as appropriate. They must also inform the distributors and, where applicable, the authorised representative and importers. (Regulation (EU) 2017/745, Article 10, paragraph 12.) The CAPA process is the internal mechanism that executes this obligation. Without a functioning CAPA process, Article 10(12) has nothing to operate through.

The MDR describes the obligation. It does not describe the mechanics. For the mechanics, manufacturers turn to the harmonised standard, EN ISO 13485:2016+A11:2021. Clause 8.5.2 defines what a corrective action process must contain. Clause 8.5.3 does the same for preventive action. When these clauses are applied correctly, the manufacturer has a presumption of conformity with the corresponding MDR requirements.

The ordering matters. The MDR is the North Star. EN ISO 13485:2016+A11:2021 is the tool. Clauses 8.5.2 and 8.5.3 are not "the rules for CAPA." They are the standardised way to meet MDR Article 10(9) and Article 10(12). A startup that orients its CAPA process around the Regulation first, and uses the standard as the implementation blueprint, ends up with a cleaner and more defensible process than one that starts with the standard and forgets the Regulation exists.

Corrective versus preventive. The distinction that matters

The two words are often used interchangeably. They are not interchangeable.

Corrective action, under EN ISO 13485:2016+A11:2021 clause 8.5.2, is action taken to eliminate the cause of a nonconformity that has already occurred. Something went wrong. A finding was raised at an audit. A complaint came in. An internal audit found a gap. A batch record had a deviation. The corrective action is what the manufacturer does to make sure that specific category of problem does not happen again, by removing whatever caused it in the first place.

Preventive action, under clause 8.5.3, is action taken to eliminate the cause of a potential nonconformity that has not yet occurred. Nothing has gone wrong yet. A trend in PMS data suggests a problem is forming. A supplier's change notification raises a risk. An internal review of a process reveals a weakness that has not yet produced a finding. The preventive action is what the manufacturer does to stop the problem from ever appearing in the first place.

The distinction is not bureaucratic. The two actions require different thinking. Corrective action looks backward at something that happened and asks what allowed it. Preventive action looks forward at something that has not happened and asks what would stop it. Both are required as distinct, separately evidenced processes under EN ISO 13485:2016+A11:2021.

A common failure mode is the CAPA record that treats preventive action as an afterthought. A box that says "staff will be retrained" attached to a corrective action that did the real work. This is not a preventive action. It is a vague gesture. A real preventive action identifies where else in the system the same category of cause could produce a problem, and takes concrete, evidenced action there. That is what clause 8.5.3 asks for.

A second common failure mode is the opposite: treating every corrective action as also a preventive action by default. The logic is that if you fix the cause, you have also prevented recurrence. This is technically true for the exact process where the nonconformity happened. It does not cover preventive action in the clause 8.5.3 sense, which is about potential nonconformities the manufacturer has not yet seen.

The CAPA sequence

A complete CAPA runs through a fixed sequence. Every step produces a discrete piece of evidence. At startup scale, this fits on one page if the thinking is real.

Detection. A nonconformity or potential nonconformity enters the CAPA system from one of its upstream sources. State what was observed, where, when, and by whom, in language someone outside the team could understand. Attach the triggering evidence. The complaint, the audit finding, the deviation report, the PMS signal.

Containment. Where a nonconformity affects devices already in use or in production, decide what immediate action is needed to limit the impact while the investigation runs. Containment is not the corrective action. It is the temporary measure that holds the problem steady. This links directly to clause 8.3 of EN ISO 13485:2016+A11:2021 on control of nonconforming product, where a product already shown to be nonconforming must be controlled to prevent its unintended use or delivery.

Root cause analysis. Determine the cause of the nonconformity using a method appropriate to the complexity of the problem. 5 Whys for linear causes, fishbone analysis for multi-factor causes. The test is whether removing the identified cause would actually prevent the observed problem. If the answer is no, the analysis is not finished.

Action definition. Define the corrective action that eliminates the root cause, with a named owner, a target date, and the evidence that will prove it was done. Define the preventive action separately: identify where else in the system the same category of cause could produce a problem, and take concrete action there. EN ISO 13485:2016+A11:2021 clause 8.5.2 requires the corrective action to be appropriate to the effects of the nonconformity. Clause 8.5.3 requires preventive actions to be appropriate to the effects of the potential problems.

Implementation. Execute the defined actions. Attach the evidence of implementation. The updated SOP version, the signed training records, the process change record, the supplier agreement, whatever the action was.

Effectiveness verification. After the action has been in place long enough to know whether it worked, run a second look. Sampled audit, spot check, trend analysis, competency assessment. Whatever fits the action. If the action worked, move to closure. If it did not work, reopen the analysis and try again. This step is the single most important step in the sequence, and the one most often skipped.

Closure. The CAPA record is closed when the actions are implemented, the evidence is attached, and the effectiveness check is complete and positive. The closure is signed and dated by an identified person.

Evidence and documentation

EN ISO 13485:2016+A11:2021 clause 8.5.2 and clause 8.5.3 both require records of the results of any investigation and of any action taken. The question for a startup is not whether to keep records. That is not negotiable. But what to keep and how to keep it without drowning in paperwork.

The minimum record set for a CAPA, under both clauses read together, is: the description of the nonconformity or potential nonconformity with its supporting evidence; the root cause analysis with the identified cause; the defined actions with owners, target dates, and evidence criteria; the evidence of implementation; the effectiveness verification result; and the closure sign-off with date and person. That is typically one page, sometimes two, for most startup CAPAs.

The medium does not matter. It can be a document in the QMS. It can be a structured issue in a tracker. It can be a spreadsheet row with linked attachments. What matters is that an auditor can follow the thread. From the observation through the analysis and the action to the effectiveness check. Without reconstruction. The auditor question is always the same: show me the record. If the record exists and tells the whole story, the CAPA is in good standing. If the record is missing pieces, the CAPA is incomplete regardless of how much other paperwork surrounds it.

Integration with PMS, vigilance, and internal audits

CAPA does not live on its own. It is the downstream destination for signals that arrive from the other QMS processes, and the upstream source for inputs into management review.

Post-market surveillance feeds CAPA. When PMS data reveals a trend, a pattern, or a specific recurring problem, the manufacturer opens a CAPA to investigate and act. The PMS system required under MDR Articles 83 to 86 and Annex III is, in large part, the detection layer that keeps CAPA honest after the device is on the market.

Vigilance feeds CAPA. A serious incident reported under MDR Articles 87 to 92 typically triggers a CAPA in parallel with the regulatory report. The regulatory report satisfies the reporting obligation. The CAPA handles the internal investigation, root cause, and action.

Internal audits feed CAPA. An internal audit finding under clause 8.2.2 of EN ISO 13485:2016+A11:2021 becomes a CAPA when the finding reveals a real nonconformity with a cause that needs eliminating. Not every internal audit finding needs a CAPA. Some are record corrections. But the ones that reveal a systemic issue do.

Nonconforming product handling feeds CAPA. Clause 8.3 of EN ISO 13485:2016+A11:2021 covers the control of nonconforming product itself, ensuring it is not unintentionally used or delivered. When nonconforming product shows a pattern or a systemic cause, the CAPA process takes over to eliminate that cause.

Customer complaints feed CAPA. A complaint that reveals a real problem with the device, its labelling, its instructions for use, or its performance becomes a CAPA input.

The opposite direction matters too. CAPA outputs feed management review. The status of open CAPAs, the trends in CAPA volume and severity, the effectiveness of closed CAPAs, and the recurring themes all flow into management review as required inputs. This is how the QMS closes its own loop.

The effectiveness verification requirement

The single most common reason CAPA records fail at a Notified Body audit is closure without effectiveness verification. The team takes the action, attaches the evidence that the action was taken, and closes the record the same day. EN ISO 13485:2016+A11:2021 clause 8.5.2 explicitly requires review of the effectiveness of corrective action taken. Clause 8.5.3 requires the same for preventive action.

"Review of effectiveness" is not "confirmation that the action was implemented." Implementation is an input to effectiveness. Effectiveness is an output. Implementation asks "did you do what you said you would do?" Effectiveness asks "did it work?"

Worked examples. A SOP was updated to fix a process gap. Implementation is the new version number and the signed training records. Effectiveness is a sampled check some weeks later showing that the new SOP is actually being followed and that the original problem has not recurred. Training was delivered to close a competency gap. Implementation is attendance and completion. Effectiveness is a competency assessment showing the trained people can actually perform the task correctly. A supplier agreement was strengthened to close a supplier control finding. Implementation is the signed updated agreement. Effectiveness is the first supplier review under the new terms, showing the supplier is actually operating under them.

The effectiveness check does not have to be heavy. It has to exist and it has to be real. Typical check methods include sampled audits, trend data review, spot verifications, competency assessments, and first-article inspections of the corrected process. The method should match the action.

Common CAPA failure modes

Four failure modes appear repeatedly in startup CAPA processes, and all four are easy to fix once named.

Symptom fixing. The CAPA treats the surface of the problem rather than the cause. A missing signature gets signed; the CAPA closes. The underlying process weakness that allowed the signature to be missed in the first place is never addressed, and the same category of problem reappears a month later in a different form. The fix is a real root cause analysis that refuses to stop at the first plausible answer.

Closure without effectiveness check. Covered above. The fix is to make the effectiveness check a mandatory closure criterion, no exceptions.

CAPA as punishment. The team treats opening a CAPA as a bureaucratic failure to be avoided. Problems get handled "informally" outside the CAPA system to keep the CAPA log looking clean. The CAPA log stops reflecting reality. The fix is to separate record corrections (a lighter log) from real CAPAs (the disciplined process) at intake, so the CAPA log contains only what belongs there and is not overwhelmed by trivia.

Missing preventive action. Every record has a corrective action. Almost none has a real preventive action. Clause 8.5.3 becomes a box-tick with a vague sentence. The fix is to treat the preventive action question as a separate step with its own thinking: where else in the system could this category of cause produce a problem, and what action would stop it?

The Subtract to Ship angle

Subtraction in CAPA means removing every step, field, form, and meeting that does not contribute to the thinking behind clauses 8.5.2 and 8.5.3. The complete CAPA that a small team runs well has the following: a clear description of the observation, a real root cause analysis, a corrective action with owner and date and evidence criteria, a preventive action with the same, attached implementation evidence, and a dated effectiveness check. Anything beyond that is overhead that does not trace to a specific clause of EN ISO 13485:2016+A11:2021 or to MDR Article 10(9) or Article 10(12).

The principle is the same one that governs the rest of the QMS. For every element of the CAPA process, ask what specific MDR article or standard clause it traces to. The clauses name what is required. Everything else is discretionary, and most of the discretionary material can be removed without compliance risk. What cannot be removed is the thinking. The thinking is the whole point.

A startup running a disciplined, lean CAPA process. With real root cause analysis, real effectiveness checks, and honest records. Meets MDR Article 10(9) and Article 10(12) more completely than a large team running heavy CAPA without discipline. Notified Body auditors see this distinction clearly. They are not impressed by volume. They are impressed by records that tell the truth about real problems and real fixes.

Reality Check. Where do you stand?

  1. Can you point to MDR Article 10(9) and Article 10(12) in your own copy of the Regulation and name the CAPA obligations they create? Do you know which EN ISO 13485:2016+A11:2021 clauses you are using to meet those obligations?
  2. Take any closed CAPA from the last six months. Does the root cause analysis go more than one level deep from the original observation? Would removing the identified cause actually prevent the problem?
  3. For that same CAPA, is there a dated effectiveness verification record separate from the implementation evidence. And does the verification show that the action actually worked?
  4. Is the distinction between corrective action (clause 8.5.2) and preventive action (clause 8.5.3) visible in your CAPA records as two separate pieces of thinking, or is preventive action a vague sentence at the bottom of the corrective action form?
  5. Do CAPAs in your system get opened from every upstream source. PMS, vigilance, internal audits, complaints, nonconforming product. Or are some sources not feeding the process?
  6. How many CAPAs in your current log were closed on the day they were opened? How many of those were record corrections that should not have been opened as CAPAs at all?
  7. If a Notified Body auditor sat down with your CAPA log tomorrow and picked three records at random, could each record tell its full story without reconstruction?

Frequently Asked Questions

What is CAPA under MDR? CAPA stands for corrective and preventive action. Under MDR Article 10(9), every manufacturer must run a proportionate quality management system that includes management of corrective and preventive actions. Under MDR Article 10(12), manufacturers must take corrective action when a device may not be in conformity. The mechanics of CAPA are described in EN ISO 13485:2016+A11:2021 clause 8.5.2 (corrective action) and clause 8.5.3 (preventive action).

What is the difference between corrective and preventive action under ISO 13485? Corrective action, in EN ISO 13485:2016+A11:2021 clause 8.5.2, eliminates the cause of a nonconformity that has already occurred, so it does not recur. Preventive action, in clause 8.5.3, eliminates the cause of a potential nonconformity that has not yet occurred, so it never does. Both are required, and both must be evidenced separately.

Does the MDR require CAPA explicitly? The MDR does not use the word "CAPA," but MDR Article 10(9) explicitly requires the QMS to cover "management of corrective and preventive actions and verification of their effectiveness," and MDR Article 10(12) requires manufacturers to take corrective action when a device may not be in conformity. Together, the two articles create the legal CAPA obligation, and EN ISO 13485:2016+A11:2021 clauses 8.5.2 and 8.5.3 are the harmonised way to meet it.

What goes into a startup CAPA record? At minimum: a clear description of the observation with its evidence, a root cause analysis, a corrective action with owner and date and evidence criteria, a preventive action with the same, attached implementation evidence, and a dated effectiveness verification. That is typically one page, sometimes two. Anything beyond that is usually overhead that does not trace to a specific clause or article.

How does CAPA connect to PMS and vigilance? PMS and vigilance are upstream sources that feed CAPA. A trend in PMS data under MDR Articles 83 to 86 becomes a CAPA input. A serious incident reported under Articles 87 to 92 triggers a parallel CAPA for internal investigation and action. CAPA is the downstream process that converts detection signals into eliminated causes, and its output feeds back into management review.

What is effectiveness verification and why does it matter? Effectiveness verification is the step where the manufacturer checks, after the action has been in place long enough to know, whether the action actually worked. Whether the problem has stopped recurring or whether the trained people can actually do the task or whether the updated process is actually being followed. EN ISO 13485:2016+A11:2021 clauses 8.5.2 and 8.5.3 both require review of effectiveness. Closing a CAPA without it is the single most common audit finding in this area.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10(9) (quality management system obligation, including "management of corrective and preventive actions and verification of their effectiveness") and Article 10(12) (obligation to take corrective action when a device may not be in conformity). Official Journal L 117, 5.5.2017.
  2. EN ISO 13485:2016 + A11:2021. Medical devices. Quality management systems. Requirements for regulatory purposes, clause 8.2.2 (internal audit), clause 8.3 (control of nonconforming product), clause 8.5.2 (corrective action), clause 8.5.3 (preventive action).

This post is part of the Quality Management Under MDR series in the Subtract to Ship: MDR blog. Authored by Tibor Zechmeister and Felix Lenhard. The MDR is the North Star. EN ISO 13485:2016+A11:2021 is the tool. CAPA is where the two meet in the daily operation of a startup QMS, and the discipline described here is the one that survives a Notified Body audit.