CAPA Template: Corrective and Preventive Action Plan
A CAPA (corrective and preventive action) document is the formal response to a nonconformance, deviation, or quality failure in an ISO 9001, ISO 13485, IATF 16949, FDA 21 CFR 820, or GxP-regulated environment. The corrective part fixes the immediate problem. The preventive part eliminates the root cause so the failure does not recur or appear in adjacent processes. This page is the eight-field template, the root cause framework, and a worked example for an ISO 9001 supplier non-conformance.
Updated 11 May 2026
What CAPA is and is not
A CAPA is the formal mechanism that closes the loop between a quality event and the change to the underlying system. The corrective action contains and corrects the immediate problem (rework, scrap, recall, customer credit). The preventive action attacks the cause so the same class of event does not happen again. ISO 9001:2015 clause 10.2 and ISO 13485:2016 clause 8.5 both require this distinction.
CAPA is not a generic improvement tracker. It is not the right tool for a feature request, a process tweak with no defect signal, or a customer complaint that does not indicate a system failure. Over-using CAPA dilutes the trail of evidence regulators expect to see. Most mature quality management systems run a separate “continuous improvement” or “change control” track for improvements that are not triggered by a nonconformance.
The depth of the CAPA must match the severity of the nonconformance. Internal quality teams often use risk scoring (likelihood × severity) to decide whether a minor deviation needs a full CAPA or a lighter remediation record. FDA QSIT inspectors and ISO certification body auditors will look for evidence the CAPA depth matches the risk.
The eight required fields
1. CAPA number and date raised. Sequential reference, owner, date opened, target close date.
2. Description of the nonconformance. What happened, where, when, who detected it, what evidence supports the description (test result, customer complaint reference, audit observation).
3. Immediate containment. What was done in the first 24 to 72 hours to stop the problem getting worse: quarantine of affected stock, hold of in-process material, notification of affected customers.
4. Root cause analysis. Documented method (5 Whys, fishbone, 8D, fault tree). The output is a single sentence in the form “the root cause is X.” If the cause cannot be reduced to one sentence, the analysis is not complete.
5. Corrective action. The change made to fix the immediate root cause. Owner, deadline, evidence of completion.
6. Preventive action. The change to the system so the root cause cannot recur, and any check that the same cause is not active in adjacent processes. Owner, deadline, evidence.
7. Verification of effectiveness. How the team will confirm the action worked, measured over a defined period (often 30, 60, or 90 days after closure). Includes the criterion that defines “effective.”
8. Closure and sign-off. Date closed, name of the QA reviewer who approved closure, and any residual risk flagged for the management review.
Root cause: 5 Whys versus fishbone versus 8D
| Method | Use when | Output |
|---|---|---|
| 5 Whys | Single, well-defined defect with a likely procedural or human root cause | Linear cause chain ending in one root cause |
| Fishbone (Ishikawa) | Multifactor problem (people, method, machine, material, measurement, environment) | Cause categories with contributing factors per branch |
| 8D | Customer-facing failure requiring eight disciplined steps including team forming and recognition | Eight-section formal report |
| Fault tree analysis | Safety-critical or regulatory event where Boolean logic of cause-and-effect needs to be enumerated | Top event with logical gates and basic events |
In practice, 5 Whys is the default for ISO 9001 day-to-day CAPAs. Fishbone and 8D appear in IATF 16949 and OEM-driven supplier CAPAs. Fault tree analysis is more common in ISO 13485 medical device contexts where the consequence is patient harm.
Worked example: ISO 9001 supplier non-conformance
CAPA reference. CAPA-2026-014. Raised 18 April 2026. Owner: QA manager. Target close: 18 June 2026.
Description. Goods inwards inspection rejected a batch of 600 stainless-steel housings from Supplier X on 17 April. Surface finish (Ra) measured at 1.8 micrometres against specification of 0.8 micrometres. Same supplier had been on probation since two earlier finish-related rejections in Q1.
Containment. Batch quarantined in the inwards goods cage. Production switched to fallback supplier Y for the next two-week build cycle. Customer notified of a four-day shipment delay on the affected end-item.
Root cause (5 Whys). Why was finish out of spec? Polish step was skipped. Why? The polish station was off-line for repair. Why was production allowed to ship without polish? Operator override of the gate was permitted. Why? The override procedure did not require a quality sign-off. Why? The procedure was inherited from a pre-ISO 9001 plant SOP and never updated. Root cause: the override procedure at Supplier X allows operator-only sign-off of a quality-critical gate.
Corrective action. Reject and return the 600 housings under the contract clause for nonconforming material. Issue credit note request. Owner: procurement. Deadline 25 April.
Preventive action. Supplier X required to update the override procedure to require dual sign-off (operator plus QC) for any quality-critical gate. Supplier X to submit revised SOP for review by 8 May. Internal: add “override procedure review” to the supplier audit checklist for all probationary suppliers. Owner: supplier quality engineer.
Verification. Three consecutive lots from Supplier X inspected at incoming with 100 percent finish measurement. Verification effective if all three lots pass at Ra ≤ 0.8. Verification window: 60 days from the next shipment.
Closure. To close on 18 June if verification criteria met. Otherwise, escalate to supplier disqualification review per Section 7 of the supplier management procedure.