What the FDA’s newest inspection data reveals about where medical device manufacturers are still getting it wrong — and how to close the gaps before your next audit.
Last Updated: May 2026
Affiliate Disclosure: Some links in this article are affiliate links. If you purchase through them, The Standards Navigator may earn a commission at no additional cost to you.
📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items covering ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.
The FDA Just Changed How It Measures Your CAPA System — And Most Manufacturers Haven’t Noticed
CAPA was the undisputed number-one FDA 483 finding for years. Not close. Not rotating with other subsystems. Every year, far and away.
That changed in 2026.
Three months of QMSR inspection data is in. Risk management documentation under Clause 7.1 now sits at number one — 25 citations. CAPA-related findings come in at 19 combined. On paper, that looks like good news. It isn’t — at least not entirely.
Here’s the nuance that matters: the inspection model changed. Under the old QSIT system, abbreviated inspections hit CAPA almost every single time. Other subsystems cycled in less frequently. CAPA’s dominance was partly an artifact of inspection structure, not a clean picture of where the industry actually struggled.
The new model looks at everything — every subsystem, every inspection. The categorization changed too. Under the old QSR, all CAPA requirements bundled into one code. Now they fragment. Two separate 8.5.2 entries already appear in the first dataset. CAPA didn’t disappear. The field just got wider.
If you’re managing a QMS for a medical device manufacturer, that means more exposure, not less.
In This Guide
- What ISO 13485 Clause 8.5.2 actually requires — and what most procedures miss
- The six mandatory data inputs for your CAPA process under Section 8.4
- Why the InfuTronix case is the most instructive FDA enforcement example in recent years
- The difference between measurement and analysis — and why confusing them causes most failures
- How horizontal analysis works and why auditors look for it specifically
- Common misconceptions that lead to major nonconformances
- What to do before your next surveillance audit
Table of Contents
Start Here (Top Resources)
🔖 Get ISO 13485:2016 → ANSI Webstore — ANSI is the official U.S. distributor of ISO standards, ensuring you receive the controlled, compliant version required for certification audits. Use coupon CC2026 for 5% off.
🔖 Get ISO 13485 training → BSI Group — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally.
🔖 Build your CAPA documentation → 9001Simplified — 9001Simplified provides ready-to-use documentation kits that dramatically reduce the internal labor required to build a compliant QMS from scratch.
🔖 Pursue or maintain ISO 13485 certification → ISOQAR — ISOQAR is a UKAS-accredited certification body — one of the most recognized in the industry for ISO management system certification.
Browse the Standards Library to identify which standards apply to your compliance area, or view the most widely used standards in medical devices and manufacturing.
What Is CAPA Under ISO 13485?
CAPA — Corrective and Preventive Action — is the mechanism your QMS uses to identify problems, trace them to root cause, and prevent recurrence. Under ISO 13485:2016, CAPA spans two clauses: Clause 8.5.2 (corrective action) and Clause 8.5.3 (preventive action). They operate differently and auditors evaluate them separately.
Corrective action addresses a nonconformity that has already occurred. Preventive action addresses a potential nonconformity that has not yet materialized. The distinction matters because the procedures, triggers, and documentation requirements differ between them.
ISO 13485 places CAPA in the broader context of Clause 8.5, which also covers continual improvement. But the practical application of CAPA runs deeper — it pulls from data collected across Clause 8.4 (analysis of data) and connects to management review, internal audits, and post-market surveillance. A CAPA procedure that treats the clause as standalone almost always fails at audit.
Under the QMSR (Quality Management System Regulation), which took effect February 2, 2026, FDA now explicitly harmonizes its device QMS requirements with ISO 13485. CAPA requirements that previously lived in 21 CFR Part 820.100 now map directly to ISO 13485 Clause 8.5.2. FDA expects those requirements to be met — and QMSR inspections are actively evaluating them.
What Clause 8.5.2 Actually Requires
Clause 8.5.2 sets out six specific requirements for corrective action. Each one has a documentation implication.
1. Review nonconformities — including customer complaints. This means your CAPA trigger list must include complaint data, not just internal defect records. If complaints are logged in one system and CAPA is managed in another, there needs to be a formal connection between them. Auditors check that connection.
2. Determine the causes of nonconformities — root cause analysis is not optional. Documenting “operator error” or “process deviation” without supporting evidence of how that conclusion was reached is a common major nonconformance. You need a documented methodology — 5 Whys, fishbone, fault tree — and evidence it was applied.
3. Evaluate the need for corrective action — not every nonconformity requires a CAPA. The standard requires you to evaluate and document that decision. Organizations that open a CAPA for every minor deviation create administrative burden; organizations that never document the decision to not open a CAPA create audit vulnerability.
4. Determine and implement corrective action — the action must be proportionate to the effects of the nonconformity. This means documented implementation, not just a description of what was planned.
5. Record results of corrective action — effectiveness verification is required. You must demonstrate that the action you took actually resolved the problem. A corrective action record that closes without verification evidence is not compliant.
6. Review corrective action and its effectiveness — this step loops back into your data analysis process. If the same problem recurs, your record should capture that recurrence and the updated response.
The 2026 QMSR inspection data showing two separate 8.5.2 citations reflects how inspectors are now parsing these requirements individually. A finding against root cause determination is a different citation from a finding against effectiveness verification.
At this point, most quality managers in this position should: → Confirm your CAPA procedure addresses all six elements explicitly — and that your records can demonstrate compliance with each one. Get the ISO 13485 Gap Assessment Checklist to verify your current gaps across all 13485 clauses.
The Six Data Inputs for Section 8.4
Clause 8.4 requires you to analyze data from specific sources to drive CAPA and continual improvement. The standard names six:
| Data Source | What It Covers |
|---|---|
| Feedback | Customer complaints, post-market surveillance data, service reports flagged by users |
| Product conformity | Inspection results, test data, nonconforming product records |
| Process and product trends | Statistical process control, yield trends, recurring deviations |
| Supplier performance | Supplier nonconformances, delivery performance, qualification data |
| Audit results | Internal audit findings, certification body findings, customer audits |
| Service reports | Field service records, repair data, failure modes reported post-delivery |
Your CAPA procedure must document how data from each of these sources is collected, reviewed, and used to make CAPA decisions. The piece most manufacturers skip entirely is what experienced quality practitioners call horizontal analysis — looking across your data sources, not just within them.
The Analysis Failure: What InfuTronix Got Wrong
The InfuTronix case is the most instructive CAPA enforcement example to come out of FDA inspection activity in recent years. It illustrates the most common failure mode — and it isn’t what most people expect.
InfuTronix had a rule written directly into their CAPA procedure: ten complaints in a rolling 12-month window triggers a CAPA. Simple enough. Documented. Auditable on its face.
Between September 2020 and August 2021, they received 80 complaints reporting power issues, 31 for battery failures, and 67 for leaking administration sets. Not one CAPA was opened.
This was not a data collection failure. The complaints were logged. The threshold was documented. The system simply never connected what was being measured to what that data actually meant.
That is an analysis failure — and it is the most common one FDA finds.
Measurement gets you the number. Analysis tells you what to do with it.
ISO 13485 Section 8.4 requires both, and your procedure needs to address the full cycle: collect the data, analyze it against defined criteria, and produce a documented decision. The decision can be: open a CAPA, escalate to management review, or continue monitoring. All three are defensible. No decision — or a decision made without documentation — is not.
FDA found all of this during inspection. The warning letter that followed cited failure to establish and maintain procedures for implementing corrective action under 21 CFR 820.100(a). Under QMSR, that same finding maps directly to ISO 13485 Clause 8.5.2.
Source: FDA Warning Letter, InfuTronix LLC, June 16, 2022. Available at fda.gov.
📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items covering ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.
Horizontal Analysis: The Step Most QMS Procedures Skip
Vertical analysis — reviewing data within a single source — is what most CAPA procedures are built around. You run through complaints. You run through audit findings. You check supplier nonconformances. Each in its own silo.
Horizontal analysis means looking across those sources simultaneously — specifically for patterns that only become visible when you connect the data.
A complaint spike in Q2 means something different when it aligns with a supplier nonconformance from the same quarter. A field failure pattern means something different when it correlates with a process change implemented three months prior. A rising service report trend means something different when internal inspection data for the same product shows clean numbers — because that combination suggests the problem is post-delivery, not in-process.
These cross-source connections are where real problems get caught before FDA finds them. They are also where most QMS procedures have no documented methodology whatsoever.
Your CAPA procedure should require a formal cross-source review at defined intervals — typically aligned with management review. The review should produce a documented output: either a CAPA trigger, a decision to continue monitoring with rationale, or escalation to a different quality subsystem.
Certification bodies increasingly audit for this specifically. The question is not just “do you have a CAPA procedure?” It’s “does your analysis process look across all six data sources and produce a documented decision?”
➡️ ANSI Webstore — Get ISO 13485:2016, the standard your CAPA procedure must align with. ANSI is the official U.S. distributor of ISO standards, ensuring you receive the controlled, compliant version required for certification audits. Use coupon CC2026 for 5% off.
Common CAPA Misconceptions
“A CAPA is only needed when something goes seriously wrong.”
The standard doesn’t set a severity threshold for opening a CAPA — it requires a documented decision about whether a nonconformity warrants one. The mistake isn’t opening too many CAPAs. It’s failing to document the evaluation. Auditors don’t penalize organizations for opening few CAPAs; they penalize organizations that can’t show they evaluated the data and made a deliberate decision.
“Closing the CAPA once the action is implemented is sufficient.”
Clause 8.5.2 requires effectiveness verification — evidence that the corrective action actually resolved the problem. Closing a CAPA at implementation is one of the most consistently cited findings in ISO 13485 surveillance audits. Effectiveness verification must be documented, must use defined criteria, and must happen at a point in time when there is enough post-implementation data to draw a conclusion.
“Our CAPA system is separate from complaint handling and that’s fine.”
It isn’t. The connection between complaint data and CAPA decisions must be explicit and documented. A complaint handling procedure that logs data and a CAPA procedure that never receives it create exactly the kind of system failure the InfuTronix case illustrates. If there is no formal handoff between your complaint system and your CAPA trigger evaluation, that gap will be found.
What Auditors Look For in CAPA Reviews
Whether the auditor is from a certification body or an FDA investigator conducting a QMSR inspection, the CAPA review follows a consistent pattern. Understanding it in advance is the most effective preparation.
They start with your procedure. They read it. They look for whether it covers all six elements of Clause 8.5.2 and whether it explicitly addresses the six data inputs from Clause 8.4. Gaps in the procedure are flagged before they look at a single record.
They pull a sample of CAPA records. Typically 3–5 for a surveillance audit, more for initial certification or for-cause inspections. They are looking for: documented root cause methodology, proportionality between the action and the finding, effectiveness verification with criteria and evidence, and closure only after verification.
They look for records that should exist but don’t. This is where analysis failures surface. If complaint data shows a spike and no CAPA was opened, the auditor will ask for the documented decision that concluded no CAPA was needed. If that document doesn’t exist, that is a finding — regardless of whether the decision was actually reasonable.
They check the connection between data sources. Does your management review input include CAPA status? Does your internal audit program look at CAPA effectiveness? Does complaint data flow into your trend analysis? These connections are evaluated systematically.
They review effectiveness verifications. A CAPA closed with “action implemented — problem resolved” and no supporting data is a major nonconformance. Effectiveness verification requires defined criteria established before the action is taken, a monitoring period, and data that demonstrates the criteria were met.
If you are preparing for a certification audit or a QMSR inspection, the FDA QSR vs ISO 13485 (QMSR Transition Guide) is the clearest resource available on how the two frameworks now align.
If you are building CAPA procedures from scratch or rewriting existing ones, the What Is ISO 13485? pillar article covers the full clause-by-clause context you need before the documentation work begins. For a complete breakdown of how ISO 13485 and FDA QMSR requirements interact at the clause level, see ISO 9001 vs ISO 13485.
If you are under active FDA inspection pressure → Get BSI Group ISO 13485 training and ISOQAR certification support immediately. BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses, recognized by certification bodies globally. ISOQAR is a UKAS-accredited certification body — one of the most recognized in the industry for ISO management system certification.
| Provider | What You Get | Best For |
|---|---|---|
| ANSI Webstore | ISO 13485:2016 official standard document | Any organization needing the controlled, compliant version of the standard |
| BSI Group | ISO 13485 training courses | Teams preparing for implementation, audit readiness, or CAPA procedure development |
| 9001Simplified | QMS documentation kits | Organizations building CAPA and QMS documentation from scratch |
| ISOQAR | ISO 13485 certification | Organizations ready to pursue or maintain certification |
Most organizations at this stage need all three:
- The standard from ANSI Webstore (use CC2026 for 5% off)
- Lead implementer training from BSI Group
- A documentation kit from 9001Simplified
This combination covers the standard, the knowledge, and the implementation infrastructure.
Frequently Asked Questions
What does ISO 13485 require for CAPA?
ISO 13485 Clause 8.5.2 requires a documented procedure that covers reviewing nonconformities, determining root causes, evaluating the need for action, implementing corrective action proportionate to the problem, recording results, and verifying effectiveness. Preventive action under Clause 8.5.3 follows a parallel structure for potential — not actual — nonconformities.
What is the most common CAPA finding in ISO 13485 audits?
Failure to verify the effectiveness of corrective actions is consistently the most common major nonconformance in surveillance audits. The second most frequent is incomplete root cause analysis — particularly records that name a root cause without showing the methodology used to reach that conclusion.
How many CAPAs should a medical device manufacturer open per year?
There is no target number. A small manufacturer with a mature QMS might open fewer than ten CAPAs annually and pass every audit. What auditors evaluate is whether the documented decision-making process is defensible — not the volume of CAPAs opened. If you are in a situation where your data shows patterns and no CAPAs are being opened, the risk is high regardless of company size.
Does CAPA under QMSR differ from CAPA under the old QSR?
The substance is largely the same. The significant change is that QMSR now explicitly adopts ISO 13485 Clause 8.5.2 as the governing framework, and inspections evaluate every subsystem — not just CAPA, as abbreviated QSIT inspections frequently did. Two separate 8.5.2 citations already appear in early QMSR inspection data, reflecting more granular evaluation of individual requirements within the clause. Read the full FDA QSR vs ISO 13485 Transition Guide for a complete breakdown.
What is the difference between corrective action and preventive action in ISO 13485?
Corrective action (Clause 8.5.2) addresses a nonconformity that has already occurred. Preventive action (Clause 8.5.3) addresses a potential nonconformity that trend data or risk analysis suggests may occur. The distinction is more than semantic — auditors evaluate them separately, the documentation requirements differ, and the trigger criteria for each should be explicit in your procedure.
Can we use a single CAPA form for both corrective and preventive actions?
Yes — many organizations use a combined form with fields that distinguish the type of action. What matters is that the record clearly identifies whether the action is corrective or preventive, that the corresponding clause requirements are addressed, and that the effectiveness verification criteria are appropriate for the action type.
What data sources must feed our CAPA process under ISO 13485?
Clause 8.4 identifies six: feedback (including complaints), product conformity data, process and product trends, supplier performance, audit results, and service reports. Your CAPA procedure should document how each source is reviewed, at what frequency, and how that review produces documented CAPA decisions. If you are using the ISO 13485 Gap Assessment Checklist, the data analysis section will identify exactly where your current procedure has gaps.
How long do we need to keep CAPA records?
ISO 13485 Section 4.2.5 requires records to be retained for a period at least equal to the lifetime of the device, but not less than two years from the date of product release. FDA QMSR requirements align with this. For implantable devices or devices with extended service life, the retention period is typically longer and should be specified in your records control procedure.
Free Resources
📋 Free Download: Manufacturing Compliance Checklist — ISO 9001, 14001, 45001 & OSHA — 50 items with gap scoring across all systems.
📋 Free Download: Supplier Quality Checklist — ISO 9001 Clause 8.4 — all supplier controls auditors evaluate, 45 items with scoring.
📋 Free Download: ISO 9001 Implementation Roadmap — The exact 5-phase process from gap assessment to Stage 2 audit clearance.
📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items — ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.
Not Sure What to Do Next?
→ You need the official ISO 13485:2016 standard → ANSI Webstore — Use CC2026 for 5% off. ANSI is the official U.S. distributor of ISO standards.
→ You need to understand how your CAPA requirements changed under QMSR → FDA QSR vs ISO 13485 Transition Guide
→ You need to train your team on ISO 13485 CAPA requirements → BSI Group ISO 13485 Training — BSI Group is a founding member of ISO and one of the world’s largest providers of ISO training courses.
→ You need to build CAPA documentation from scratch → 9001Simplified Documentation Kits — 9001Simplified provides ready-to-use documentation kits that dramatically reduce the internal labor required to build a compliant QMS.
→ You are ready to pursue ISO 13485 certification → ISOQAR — ISOQAR is a UKAS-accredited certification body — one of the most recognized in the industry for ISO management system certification.
→ You want to assess your full ISO 13485 gaps before spending anything → ISO 13485 Gap Assessment Checklist — free, 64 items
→ You need to understand what ISO 13485 covers before addressing CAPA specifically → What Is ISO 13485?
→ You need to understand how risk management connects to CAPA → What Is ISO 14971? and ISO 14971 vs ISO 13485
→ You need to compare ISO 13485 to ISO 9001 to understand CAPA differences → ISO 9001 vs ISO 13485
→ You want to buy ISO 13485 → Buy ISO 13485
→ You want to browse all medical device standards in one place → explore sector-specific standards or browse standards by compliance area
Still figuring out where to start?
If you are not ready to purchase yet — that is normal. ISO 13485 CAPA decisions typically take weeks from first research to implementation commitment.
The best next step for most organizations at this stage: → Download the free ISO 13485 Gap Assessment Checklist — it takes 20 minutes and tells you exactly where your CAPA and QMS gaps are before you spend anything.
📋 Free Download: ISO 13485 Gap Assessment Checklist — 64 items — ISO 13485 clauses + all four FDA QMSR bridge requirements ISO 13485 certification alone does not cover.
The Cost of an Analysis Failure
CAPA is not a form. It is not a procedure sitting in your document management system. It is the mechanism that connects everything your quality system measures to everything your quality system does about it. When that connection breaks — when data is collected, thresholds are documented, and no one asks what the numbers actually mean — FDA finds it. Certification bodies find it. And devices reach the field with problems that could have been caught.
The InfuTronix case isn’t an outlier. Organizations that receive 483 observations for CAPA failures almost always had a procedure. What they didn’t have was an analysis process that produced documented decisions. That gap is what inspection finds — and it’s the gap that costs the most to recover from after the fact.
Under QMSR, the inspection model is now broader. Every subsystem, every inspection. CAPA didn’t disappear from the top of the finding list — it fragmented into more specific citations. That means more exposure, not less.
At The Standards Navigator, complex standards are translated into practical, real-world guidance you can act on.
👉 Get updates on new standards, implementation strategies, and compliance insights 👉 Be first to access new guides, tools, and checklists
Subscribe below to stay ahead.