--- title: How to Run an Effective CAPA Process Without Bureaucratic Overhead description: A good CAPA process finds real root causes and prevents recurrence. A bad one generates paperwork. Here is how to run the effective kind in a small team. authors: Tibor Zechmeister, Felix Lenhard category: Quality Management Under MDR primary_keyword: CAPA without bureaucratic overhead canonical_url: https://zechmeister-solutions.com/en/blog/capa-without-bureaucratic-overhead source: zechmeister-solutions.com license: All rights reserved. Content may be cited with attribution and a link to the canonical URL. --- # How to Run an Effective CAPA Process Without Bureaucratic Overhead *By Tibor Zechmeister (EU MDR Expert, Notified Body Lead Auditor) and Felix Lenhard.* > **An effective CAPA process observes a real problem, finds the true root cause, implements a correction that fixes the cause rather than the symptom, adds a preventive action that stops the same pattern from appearing elsewhere, verifies that the action worked, and closes the record. Everything else is paperwork. The MDR requires the discipline under Article 10(9) and Article 10(12); EN ISO 13485:2016+A11:2021 clauses 8.5.2 and 8.5.3 describe what the discipline looks like. A small team can run this well with a one-page record, if the thinking behind the page is real.** **By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.** --- ## TL;DR - CAPA stands for Corrective Action and Preventive Action. Under EN ISO 13485:2016+A11:2021, corrective action (clause 8.5.2) addresses the cause of a nonconformity that has already occurred; preventive action (clause 8.5.3) addresses the cause of a potential nonconformity that has not yet occurred. The two are not interchangeable. - MDR Article 10(9) requires a proportionate quality management system. MDR Article 10(12) requires manufacturers to take the necessary corrective action when they find a device may not be in conformity. CAPA is where those obligations operationalise. - The effective CAPA sequence is observe, analyse the root cause, correct the cause, prevent recurrence, verify effectiveness, close. Skip any step and the record is theatre. - 5 Whys and fishbone analysis are enough at startup scale. The method matters less than the discipline of not stopping at the first plausible answer. - CAPA backlog is a symptom, not a problem. The fix is better triage at intake, not a bigger CAPA team. --- ## What CAPA actually is CAPA is a two-part discipline written into EN ISO 13485:2016+A11:2021 as clauses 8.5.2 and 8.5.3, and required by MDR Article 10(9) as part of the proportionate QMS every manufacturer must maintain. Corrective action, in clause 8.5.2, is the action taken to eliminate the cause of a nonconformity that has already happened, so it does not recur. Preventive action, in clause 8.5.3, is the action taken to eliminate the cause of a potential nonconformity that has not yet happened, so it never does. The two are frequently confused. A corrective action looks backward at something that went wrong and asks what allowed it. A preventive action looks forward at something that could go wrong and asks what would stop it. Both are required, and both must be documented with the discipline the standard describes: identify the nonconformity or potential nonconformity, determine the cause, evaluate the need for action, decide on and implement the action, record the results, and review the effectiveness. MDR Article 10(12) adds the regulatory obligation. When a manufacturer considers or has reason to believe that a device which they have placed on the market or put into service is not in conformity with the Regulation, they must immediately take the necessary corrective action to bring that device into conformity, to withdraw it, or to recall it, as appropriate. CAPA is the process that makes that obligation operational inside the company. Without a functioning CAPA process, Article 10(12) has no internal mechanism to execute against. A CAPA is not a form. The form is a record of the thinking. The thinking is the CAPA. Confusing the two is the root cause of most CAPA bureaucracy. ## The common CAPA anti-pattern The anti-pattern is the CAPA that exists to generate paperwork. It is recognisable from the outside. A twelve-page form with thirty fields, most of which repeat the same information in slightly different language. A root cause analysis section that contains one sentence. A corrective action section that says "SOP will be updated" with no named owner, no date, and no evidence. A preventive action section that says "staff will be retrained." An effectiveness check section that is blank because the CAPA was closed the day it was opened. This is the CAPA that exists to survive an audit, not to solve a problem. Tibor walked into a company in Berlin whose entire QMS had been built from a template pack — the team had bought the templates, replaced the placeholder company name, and considered the QMS done. When the auditor started sampling, nonconformities appeared everywhere. The team's response was to open one CAPA per finding, each one a copy of the same template form, each one promising to update the SOP in question. None of them addressed the real root cause, which was that the QMS had never been matched to the actual operations of the company. The CAPAs were paperwork-generating exercises that left the underlying problem entirely untouched. The same pattern shows up in smaller forms. The CAPA opened because the auditor found a missing signature, closed the same day by signing the document. The CAPA opened because a batch record had a typo, closed by correcting the typo. None of these are CAPAs in the real sense. They are record corrections labelled as CAPAs to make the nonconformity log look active. The second anti-pattern is the opposite: a CAPA process so heavy that nothing gets through it. Every minor observation gets opened as a full CAPA. Every CAPA requires a cross-functional team, a formal root cause analysis meeting, a management review sign-off, and a thirty-day effectiveness check. Inside six months, the CAPA log has two hundred open entries, nothing has actually been fixed, and the team has learned that opening a CAPA is a punishment to avoid. The process looks rigorous on paper. In practice, it has killed the company's ability to respond to problems at all. Both anti-patterns share a cause: the team is treating CAPA as a bureaucratic obligation instead of a problem-solving tool. The fix is not to remove the discipline. It is to remove everything that is not the discipline. ## The effective CAPA sequence An effective CAPA runs through six steps, in order, with no steps skipped and no extra steps added. **Observe.** State the nonconformity or potential nonconformity clearly, in one or two sentences, in language someone outside the team could understand. Include what was observed, where, when, and by whom. Attach whatever evidence exists — the batch record, the complaint, the audit finding, the deviation report. If the observation cannot be stated clearly, the CAPA is not ready to open. **Analyse the root cause.** Use 5 Whys or a fishbone diagram. Do not stop at the first plausible cause. The test is whether the cause, if removed, would actually prevent the observed problem from happening again. If the answer is no, you have a contributing factor, not a root cause, and you need to keep going. **Correct the cause.** Define a corrective action that eliminates the root cause, not the symptom. The action has four components: what will be done, who will do it, when it will be completed by, and what evidence will prove it was done. EN ISO 13485:2016+A11:2021 clause 8.5.2 requires the action to be appropriate to the effects of the nonconformity — proportionate, not inflated, not deflated. **Prevent recurrence elsewhere.** Ask where else in the system the same pattern could exist, and take action to check and protect those places. This is what EN ISO 13485:2016+A11:2021 clause 8.5.3 means by preventive action in the CAPA context — not "we will be careful in the future," but a concrete action that addresses the same root cause in other parts of the system. **Verify effectiveness.** After the action has been in place long enough to know whether it worked, run a second look. Sampled audit, competency check, spot verification — whatever fits the action. If the action did not work, the CAPA is not closed. Reopen the analysis, find the reason the action failed, and try again. **Close.** The CAPA record is closed when the action is implemented, evidence is attached, and the effectiveness check is complete and positive. Closing a CAPA without the effectiveness check is not closing — it is parking. Every step is necessary. Every step produces a discrete output. No step needs a twelve-page form. ## Root cause analysis at startup scale Root cause analysis is where most CAPA processes go wrong, and where the largest amount of bureaucratic theatre typically accumulates. At startup scale, two tools are enough: 5 Whys and fishbone analysis. **5 Whys** is a sequential technique. State the problem. Ask why it happened. Take the answer and ask why that happened. Repeat until you reach a cause that, if removed, would actually prevent the problem. The "five" is a guideline — sometimes the real cause shows up at the third why, sometimes at the seventh. The discipline is not the count. It is the refusal to stop at the first comfortable answer. A worked example. The complaint: a customer received a device with incorrect labelling. Why? The label printer was loaded with the wrong label roll. Why? The operator did not check the label roll before loading. Why? The check is not in the work instruction. Why? The work instruction was written before the label-roll change was introduced and was never updated. Why? There is no trigger in the change control process that requires updating work instructions when a process change is introduced. The root cause is the missing trigger in change control. Fixing the work instruction alone leaves the cause intact and guarantees the same problem will appear the next time a process changes. **Fishbone analysis** (also called Ishikawa) is better when the root cause is not linear. Draw the problem at the head of the fish, and draw branches for the main categories of possible cause — people, process, equipment, materials, environment, measurement, whatever fits the context. Populate each branch with plausible contributing factors. Look for the factors that combine to produce the observed problem. Fishbone is slower than 5 Whys but catches multi-factor causes that 5 Whys would miss. Both techniques are free. Both can be done on a whiteboard with the people closest to the problem in the room for thirty minutes. Neither requires software, certification, or a consultant. What they require is the discipline to ask one more question than feels comfortable. ## What to document and what to skip Document everything that supports the thinking. Skip everything that does not. Keep the one-line statement of the observation with the evidence attached or referenced. Keep the 5 Whys chain or the fishbone diagram with the root cause marked. Keep the corrective action definition with owner, date, and evidence criteria. Keep the preventive action definition with the same. Keep the effectiveness check plan and the result. Keep the closure record with the date and the person who closed it. Skip the project charter. Skip the stakeholder map. Skip the risk assessment of the CAPA itself. Skip the meeting minutes from every review where the CAPA was discussed. Skip the template fields that ask for the same information in a different format. Skip the cover pages. A one-page CAPA record is enough if the page contains the real content. A twelve-page CAPA record is a waste of everyone's time if the thinking is absent, and it is still a waste if the thinking is present but buried in formatting. The test is the auditor question: if an auditor asked you to show how this CAPA was handled, what would you need to show them? That set of records is the CAPA file. Everything else is waste. ## How to avoid CAPA backlog Backlog is almost never a CAPA execution problem. It is an intake problem. Too many things are being opened as CAPAs that do not belong there, and the ones that do belong are buried. The fix starts at intake. Before opening a CAPA, ask two questions. First, does this require a corrective action, or is it a record correction? A missing signature, a typo in a batch record, a misfiled document — these are corrections, not CAPAs. Fix them, log the correction, move on. Second, does this require an analysis of the cause, or is the cause already known and trivial? If a cable was unplugged and the technician plugged it back in, there is no root cause analysis. There is a deviation record, closed. The CAPAs that remain after triage are the ones that need the discipline. Those get the full sequence. The rest go through a lighter channel — a correction log, a deviation log, a feedback log — that exists specifically so the CAPA process does not get flooded with things that do not need it. Backlog also comes from opening CAPAs that no one owns. Every CAPA needs a single named owner at the time it is opened. Not a team. Not a department. One person whose name is on the record and who is accountable for the next step. If no one can be named at the moment of opening, the CAPA is not ready to open. ## When a "small" CAPA deserves a "big" investigation The size of the finding is not always the size of the problem behind it. A single missing signature on a single training record looks small. If it is the only missing signature in a year, it is small. If it is the third missing signature this quarter from the same supervisor, it is a pattern, and the real CAPA is about the supervisor, not the signature. If a sample of training records shows that twenty percent have the same gap, the real CAPA is about the training process itself. A single out-of-specification test result looks small. If the investigation shows the test method is marginal and the result is within normal variation, it is small. If the investigation shows the test has been drifting for six months without anyone noticing, it is not small at all, and the real CAPA is about why the trend went unnoticed. The rule is simple. Before sizing the CAPA, check the pattern. One observation in isolation is one thing. The same observation as the third instance of a pattern is something else entirely. The trigger for a bigger investigation is not the severity of the single finding — it is the detection of a pattern the single finding is part of. A functioning CAPA process includes a step, at intake, to check whether the observation is the first of its kind or the latest in a series. ## The trap of closing CAPAs without verification The single most common reason CAPA records fail an audit is closure without effectiveness verification. The team takes the action, attaches the evidence of the action, and closes the record the same day. EN ISO 13485:2016+A11:2021 clause 8.5.2 requires review of the effectiveness of corrective action. "Review of effectiveness" is not the same as "confirmation that the action was implemented." Implementation is an input. Effectiveness is an output. A SOP was updated. Implementation is confirmed by the new version number and the signed training records. Effectiveness is confirmed by a sampled check, some time after the update, showing that the new SOP is actually being followed and the original problem is not recurring. Training was delivered. Implementation is confirmed by attendance records and training completion sign-offs. Effectiveness is confirmed by a competency assessment, some time after the training, showing that the trained people can actually perform the task correctly. A process change was introduced. Implementation is confirmed by the change record. Effectiveness is confirmed by the first sampled run of the new process, or a trend check, or whatever metric the original problem would have affected. The effectiveness check does not have to be heavy. It has to be real. A CAPA log full of records closed on the day of implementation is a CAPA log that has been gaming its own metrics, and an auditor will see through it immediately. A CAPA log where every record has a dated effectiveness check, however small, is a CAPA log that reflects a working process. ## The Subtract to Ship angle Subtraction in CAPA means cutting every step, every form field, every meeting, and every signature that does not contribute to solving the actual problem. The one-page record that contains a clear observation, a real root cause analysis, a concrete corrective action, a concrete preventive action, an attached piece of evidence, and a dated effectiveness check is a complete CAPA. Anything beyond that is overhead. The test is the same test that applies everywhere in the Subtract to Ship framework. For every element of the CAPA process, ask what specific EN ISO 13485:2016+A11:2021 clause or MDR article it traces to. Clauses 8.5.2 and 8.5.3 name the elements that are required. The rest of the process — the extra forms, the extra fields, the extra reviews — is discretionary, and most of it can be removed without compliance risk. What cannot be removed is the thinking. The thinking is the whole point. A small team running lean CAPA with discipline beats a large team running heavy CAPA without it. Every time. ## Reality Check — Where do you stand? 1. Could you show an auditor a CAPA from the last six months where the root cause analysis produced a cause that was more than one level deep from the original observation? 2. For that same CAPA, can you point to evidence that the corrective action was implemented and that an effectiveness check was performed after implementation? 3. How many CAPAs in your current log have been closed on the same day they were opened? Are any of them actually corrections that should not have been opened as CAPAs? 4. When you open a CAPA, do you routinely check whether the observation is the first of its kind or part of a pattern of similar observations? 5. How many separate forms, fields, and signatures does your CAPA process require, and how many of them trace to a specific clause of EN ISO 13485:2016+A11:2021? 6. Do you have a lighter channel for corrections and minor deviations that keeps them out of the CAPA log entirely? 7. If you had to rebuild your CAPA process from a single page, what would stay on the page and what would not survive? ## Frequently Asked Questions **What is the difference between corrective action and preventive action in CAPA?** Corrective action eliminates the cause of a nonconformity that has already occurred, so it does not recur. Preventive action eliminates the cause of a potential nonconformity that has not yet occurred, so it never does. Both are required under EN ISO 13485:2016+A11:2021 — corrective action in clause 8.5.2 and preventive action in clause 8.5.3. The two are distinct obligations and need separate thinking, even when they appear in the same CAPA record. **Does the MDR require a CAPA process?** The MDR does not use the word "CAPA," but MDR Article 10(9) requires manufacturers to maintain a quality management system that is proportionate to the risk class and type of device, and MDR Article 10(12) requires manufacturers to take corrective action when they believe a device may not be in conformity. The harmonised standard that operationalises those obligations is EN ISO 13485:2016+A11:2021, and clauses 8.5.2 and 8.5.3 describe the required corrective and preventive action processes. A functioning CAPA process is how a small manufacturer meets both requirements at once. **How detailed does a startup's CAPA record need to be?** Detailed enough to contain the observation, the root cause analysis, the corrective action with owner and date, the preventive action, the evidence of implementation, and the dated effectiveness check. That is typically a one-page record, sometimes two, for most startup CAPAs. More than that is usually padding. Less than that is usually missing required content. **Can a CAPA be closed on the same day it is opened?** Very rarely, and usually the answer is that it should not have been opened as a CAPA. Record corrections, trivial deviations, and single-event fixes with no cause analysis needed belong in a lighter channel — a correction log or deviation log — not in the CAPA process. A real CAPA requires enough time for the action to be implemented and the effectiveness check to be performed, which by definition means more than a day between opening and closing. **What is the minimum root cause analysis method a small team needs?** 5 Whys is enough for most linear problems. Fishbone analysis is better when the cause is multi-factor. Both can be done with a whiteboard and thirty minutes, by the people closest to the problem. Neither requires software or certification. What matters is the discipline of not stopping at the first plausible cause. **How do I know my CAPA process is effective?** Three signs. First, the same findings are not recurring at successive audits. Second, the CAPA log is not dominated by same-day closures or by records that have been open for more than a year. Third, every closed CAPA in the log has a dated effectiveness check, not just an implementation sign-off. If all three are true, the process is working. If any of them is false, there is a gap to fix. ## Related reading - [The 10 Most Common MDR Non-Conformities in Startup Audits](/blog/ten-most-common-mdr-non-conformities-startup-audits) — the findings a CAPA process is most often asked to close. - [How to Respond to MDR Audit Non-Conformities Step by Step](/blog/respond-to-mdr-audit-nonconformities) — the companion post on CAPA responses to Notified Body findings. - [The Subtract to Ship Framework for MDR Compliance](/blog/subtract-to-ship-framework-mdr) — the methodology behind the lean CAPA discipline in this post. - [What Is a Quality Management System for Medical Devices?](/blog/what-is-quality-management-system-medical-devices) — where CAPA sits inside the broader QMS picture. - [How to Build a Lean QMS for MDR as a Startup](/blog/build-lean-qms-mdr-startup) — the wider context for running a proportionate QMS with a small team. - [The Minimum Viable QMS Under MDR](/blog/minimum-viable-qms) — the smallest QMS that still meets Article 10(9) obligations. - [What CAPA Means Under MDR and ISO 13485](/blog/capa-mdr-iso-13485) — the foundational definitions and scope of CAPA in the MedTech context. - [Root Cause Analysis Techniques for MedTech Startups](/blog/root-cause-analysis-medtech-startups) — the deep dive on 5 Whys, fishbone, and structured RCA methods. - [Control of Nonconforming Product Under MDR](/blog/nonconforming-product-control-mdr) — the sibling clause to CAPA in EN ISO 13485:2016+A11:2021. - [The Most Common QMS Audit Non-Conformities Under MDR](/blog/common-qms-audit-nonconformities) — patterns a good CAPA process is designed to prevent. ## Sources 1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 10(9) (quality management system obligation) and Article 10(12) (obligation to take corrective action when a device may not be in conformity). Official Journal L 117, 5.5.2017. 2. EN ISO 13485:2016 + A11:2021 — Medical devices — Quality management systems — Requirements for regulatory purposes, clause 8.5.2 (corrective action) and clause 8.5.3 (preventive action). --- *This post is part of the Quality Management Under MDR series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. Tibor has reviewed CAPA records from both sides of the table — as the Notified Body auditor reading them and as the manufacturer writing them — and the discipline described here is the one that survives scrutiny in both roles.* --- *This post is part of the [Quality Management Under MDR](https://zechmeister-solutions.com/en/blog/category/quality-management) cluster in the [Subtract to Ship: MDR Blog](https://zechmeister-solutions.com/en/blog). For EU MDR certification consulting, see [zechmeister-solutions.com](https://zechmeister-solutions.com).*