Let’s not sugarcoat it but CAPA is where your QMS either proves it’s alive or exposes that it’s been running on autopilot.
Every manufacturer says they “have a CAPA system.” But under MDSAP, the question isn’t whether you have it or it’s whether you’re using it the way regulators expect. The days of ticking a box, filing a form, and calling it a day are long gone.
Under MDSAP, CAPA isn’t about compliance paperwork—it’s about how your system thinks. It’s how your organization responds to failure, controls risk, and learns fast. A truly effective CAPA function is like the nervous system of your QMS—detecting problems instantly, sending the right signals, and triggering the right corrective actions before damage spreads.
Let’s unpack how MDSAP treats CAPA. No fluff. Just what MDSAP auditors really want to see—and where most companies trip up.
The Foundation: What Auditors Want from Your CAPA System
The CAPA requirements under MDSAP, built on ISO 13485:2016—but expanded with real regulatory teeth.
Start with Question: Are your procedures even audit-worthy?
So, MDSAP expect written, implemented, and operational procedures that:
- Analyze data from across your QMS—complaints, NCs, audits, process trends
- Monitor product conformity at every stage
- Trigger and track CAPAs in a structured, risk-based manner
- Push quality issues to the right people for action
- Include clear mechanisms for feedback, early warnings, and escalation
This isn’t just about having a folder called “CAPA.” It’s about showing that your QMS can detect signals, respond intelligently, and avoid downstream damage.
Brazil requires that information about quality problems is actively shared with those responsible for product quality.
FDA adds that quality problems and CAPAs must also be fed into management review.
Risk Is the Ruler: When Do You Launch a CAPA?
Not every glitch triggers a CAPA. But your decision-making logic must be risk-based, documented, and repeatable.
MDSAP want to know how you decide whether to escalate to CAPA. Do you consider the impact on safety, essential performance, or regulatory compliance?
This applies to both actual and potential nonconformities. So even a near miss—say, a labeling error caught at release—could qualify, depending on risk.
Rule of thumb: if a failure could have impacted the device’s essential design outputs or patient safety, a CAPA is probably needed.
What a Real Root Cause Analysis Looks Like
This is where things get real. MDSAP’s Auditors will look at your CAPA records and ask: Did you identify a true root cause or did you just patch the problem?
You’re expected to use structured tools like 5 Whys, Ishikawa, Fault Tree Analysis—and your process should include:
- Criteria for when to investigate
- A defined plan with timelines and owners
- Risk-based prioritization
- Alternatives if the root cause can’t be determined
Remember: correction is not corrective action. Re-labeling a batch is not enough. You must go further to find why it happened, and how to prevent it again.
Preventive Action Still Matters—And It’s Not the Same Thing
This is where mature systems shine.
Corrective action is about fixing a failure. Preventive action is about foreseeing one.
MDSAP expects your team to proactively analyze data—trends, shifts, signals—and ask: Could this become a nonconformity?
Few companies do this well. But MDSAP explicitly required that preventive actions be taken, documented, and proven effective—just like corrective ones.
Don’t Skip the Effectiveness Check (Because Auditors Won’t)
A CAPA isn’t complete when the action is done. It’s complete when you’ve shown through data—that it worked.
Actions must be tracked, verified, and reviewed. The proof could be trend analysis, process audits, defect rate reductions, or complaint monitoring.
If an issue resurfaces post-CAPA, expect intense scrutiny. MDSAP auditors are trained to follow that trail back and they will ask if the root cause was ever addressed correctly.
Did Your CAPA Trigger a Design or Process Change?
Some CAPAs lead to design or process changes. And that’s where regulatory expectations ramp up.
If your CAPA results in altering a validated process, you must assess:
- Have you introduced new hazards?
- Have you evaluated and documented risk under ISO 14971?
- Did you perform revalidation (where needed)?
If the change is to design, it must go through your D&D control process—full stop.
Canada wants to see that Class III and IV device changes are evaluated for whether they require a license amendment
Australia requires advance notification to TGA or Auditing Organisations before implementing critical process changes.
Nonconformities: Before and After the Product Leaves
Let’s talk about nonconforming product. You need robust procedures to.
- Identify and isolate nonconforming product
- Determine and document disposition
- Justify any concessions or use-as-is decisions
- Notify responsible parties (e.g., suppliers)
If the issue is found post-distribution, your actions must be proportionate to risk. That might be:
- Field action (recall or advisory)
- Risk communication
- Post-market data analysis
- Regulatory notification, depending on the jurisdiction
Post-Market Phase: Your Feedback Loop
CAPA isn’t just about solving yesterday’s problems. MDSAP links it to the future.
Your QMS must collect data from the field i,e. complaints, vigilance reports, advisory notices and feed them into your CAPA system.
Auditors want to see this loop in motion:
Complaint → Investigation → CAPA → Effectiveness → Risk Update → Management Review
Bonus Tips: Link this to design risk files and supplier evaluations for full traceability and audit readiness.
Putting It All Together
Under MDSAP, CAPA is no longer just a compliance function. It’s the foundation of your credibility as a manufacturer.
MDSAP Auditors want to know:
- Do you detect problems early?
- Do you ask the right questions?
- Do you act proportionally?
- Do you prevent recurrence?
- Do you measure results?
If your answers are confident and documented—you’re on solid ground.
If not, it’s time to treat CAPA not as a file to be completed, but as a system to be strengthened.
Because when your CAPA system works, everything else in your QMS works better too—and in a regulatory environment this demanding, “better” is often the difference between passing and failing.
