Corrective Action vs. Preventive Action: What ISO 13485 and FDA QMSR Actually Require

TLDR

Corrective action and preventive action are two distinct processes with different triggers, different inputs, and different required documented outputs under ISO 13485:2016. Corrective action responds to a known failure. Preventive action responds to a potential failure identified through trend analysis, risk assessment, or data review before anything breaks. Under the FDA's Quality Management System Regulation (QMSR), effective February 2, 2026, these processes are evaluated separately under the new Compliance Program 7382.850. A combined SOP that treats preventive action as a checkbox inside a corrective action record creates measurable inspection risk, not because the format is wrong, but because the process structure typically fails to produce the documented PA outputs the regulation requires.

Corrective Action vs. Preventive Action: What ISO 13485 and FDA QMSR Actually Require

Few topics generate more debate among quality professionals than corrective and preventive action procedures. The argument tends to center on the wrong question: single SOP or separate SOPs? The more important question is whether your CAPA process produces the documented evidence each clause specifically requires. Under ISO 13485:2016 and the FDA's QMSR, these are not interchangeable processes, and the regulatory expectations for each are distinct.

Correction, Corrective Action, and Preventive Action: Three Different Things

Before getting into what each clause requires, it helps to establish what these three terms actually mean. They are frequently conflated in quality systems, and the conflation is itself a compliance risk.

A correction addresses the immediate problem. It fixes the nonconforming output: the product is reworked, quarantined, or disposed of. A correction does not investigate why the problem occurred and does not address the root cause.

A corrective action addresses the root cause of a known nonconformity. It is initiated after a problem has been identified, and its purpose is to eliminate the cause so the problem does not recur. The trigger is a confirmed failure.

A preventive action addresses a potential nonconformity before it occurs. Its trigger is not a failure but a signal: a trend in data, a risk identified through a quality risk assessment, a pattern in near-misses, or a systemic vulnerability identified through process review. No product has failed yet. The purpose is to eliminate the conditions that could produce a failure.

ISO 13485:2016 defines all three. The QMSR incorporates these definitions by reference. Treating corrective and preventive action as a single continuous process is one of the most common sources of CAPA-related audit findings in medical device inspections.

What ISO 13485:2016 Clause 8.5.2 Requires for Corrective Action

Clause 8.5.2 of ISO 13485:2016 establishes the documented requirements for corrective action. The organization must take action to eliminate the cause of nonconformities to prevent recurrence. The required process elements include:

Reviewing nonconformities, including complaints. Determining the causes of nonconformities. Evaluating the need for corrective action to ensure nonconformities do not recur. Planning and implementing necessary action. Verifying effectiveness of the corrective action taken. Ensuring that information on actions taken is communicated to personnel responsible for ensuring product quality.

Each of these elements must be documented. The root cause investigation must produce an identifiable, specific cause. Effectiveness verification must demonstrate, with objective evidence, that the corrective action resolved the problem and prevented recurrence. A corrective action record that identifies "human error" as the root cause and closes with retraining as the only action does not satisfy this clause for any systemic issue.

The clause also requires that corrective action be appropriate to the effects of the nonconformities encountered. Proportionality is expected. A minor typographical error in a work instruction does not require the same depth of investigation as a recurring sterility breach. The initiation criteria for a corrective action should reflect this proportionality in writing, not rely on individual judgment.

What ISO 13485:2016 Clause 8.5.3 Requires for Preventive Action

Clause 8.5.3 addresses preventive action with structurally similar but functionally distinct requirements. The organization must determine action to eliminate the causes of potential nonconformities. The required process elements include:

Determining potential nonconformities and their causes. Evaluating the need for action to prevent occurrence of nonconformities. Planning and implementing necessary action. Recording results of investigations and action taken. Reviewing the preventive action taken.

The critical word in Clause 8.5.3 is "potential." The trigger for a preventive action is not a failure that has occurred. It is a signal in your data, your risk management system, your process performance trends, or your internal audit findings that points to a failure that has not yet happened. If your preventive action process only opens records in response to actual events, it is not functioning as a preventive action process. It is a second corrective action process with a different label.

The documented inputs for a preventive action include the data or risk signal that triggered the action, the potential nonconformity identified, the cause analysis for why that potential failure could occur, the action taken to eliminate that cause, and the effectiveness review confirming the risk was addressed. These are different inputs than a corrective action record. The documented output requirements are also different.

The Core Difference: Triggers, Inputs, and What Must Be Documented

This is the distinction that matters most operationally. Corrective action and preventive action do not differ only in timing. They differ in what evidence is required to open a record, what the investigation must produce, and what must be documented to close it.

For corrective action: the trigger is a confirmed nonconformity. The investigation must identify the specific root cause of that nonconformity. Closure requires documented evidence that the root cause was addressed and that effectiveness was verified.

For preventive action: the trigger is a data signal, risk assessment output, trend analysis, or process review that identifies a potential problem. The investigation must identify the potential cause. Closure requires documented evidence that the potential cause was addressed and that the risk signal is no longer present.

A combined SOP that uses a single record for both types of actions can technically satisfy these requirements, but only if the procedure explicitly defines separate trigger criteria, separate investigation logic, and separate documentation requirements for each type. In practice, most combined SOPs do not do this. Preventive action gets treated as a question at the bottom of a corrective action form: "What preventive actions were taken?" The answer is typically a copy of the corrective action. That is not a preventive action. It is a correction with extra steps.

What QMSR Changed for CAPA in 2026

The FDA's QMSR, effective February 2, 2026, replaced the Quality System Regulation (QSR) under 21 CFR Part 820. It incorporates ISO 13485:2016 by reference, making Clauses 8.5.2 and 8.5.3 directly enforceable as U.S. federal law. (FDA.gov)

Two changes under QMSR directly affect how CAPA records are evaluated during inspections.

The FDA's legacy Quality System Inspection Technique (QSIT) was replaced by Compliance Program 7382.850. Under QSIT, FDA investigators followed a structured four-subsystem approach that focused on whether CAPA records existed. Under the new compliance program, investigators can follow audit trails into internal audit records, management review documentation, and supplier audit findings, which were largely off-limits under QSIT. This gives investigators a broader view of whether preventive action is actually being triggered by quality data, or whether it appears only on paper.

The QMSR also mandates that corrective and preventive actions be managed as separate processes. Under the old QSR, a combined procedure was commonly accepted. Under QMSR's ISO 13485 incorporation, an FDA Form 483 observation for inadequate separation of CA and PA processes is a realistic inspection finding, particularly when the CAPA record does not demonstrate that preventive action was triggered by an independent data source.

Do Separate Clauses Mean Separate SOPs? The Real Answer

No regulatory document states that corrective action and preventive action must be in separate SOPs. This is an important clarification. The compliance requirement is not about document format. It is about whether each process has defined trigger criteria, defined investigation logic, and defined documented outputs that satisfy its respective clause.

A combined SOP that clearly defines what triggers a corrective action (a confirmed nonconformity), what triggers a preventive action (a data signal or risk finding), and that maintains separate record types for each with distinct required fields can satisfy QMSR and ISO 13485:2016.

The compliance risk is not the combined SOP itself. The risk is what most combined SOPs actually produce in practice: preventive action records that are either absent, or that are copies of the corrective action with different language, or that are marked "not applicable" without justification.

If your combined SOP can demonstrate that preventive actions are triggered independently, investigated against potential causes rather than confirmed ones, and closed with evidence that the potential cause was addressed, the format is defensible. If it cannot demonstrate those things, the format is not the problem. The process is.

Why Preventive Action Fails in Most Quality Systems

Several patterns explain why preventive action is the most consistently underperformed process in regulated quality systems.

No defined data sources. Corrective actions have obvious triggers: a nonconformity occurred. Preventive actions require someone to analyze trend data, process performance metrics, management review outputs, and risk registers and identify patterns that point to future problems. If no one is assigned to perform that analysis on a defined schedule, preventive actions never get initiated. The data exists. No one looks at it.

No trigger criteria. Most CAPA SOPs define initiation criteria for corrective actions: severity thresholds, number of occurrences, customer impact. Preventive action trigger criteria are rare. Without defined criteria, the decision to open a PA depends entirely on individual judgment, which means it rarely happens.

PA treated as part of CA closure. The most common failure mode: after a corrective action is investigated and implemented, the CAPA record asks what preventive actions were taken. The answer points back to the corrective action. This conflates the two processes and produces no independent preventive action analysis.

Effectiveness reviews not defined separately. Corrective action effectiveness asks whether the nonconformity recurred. Preventive action effectiveness asks whether the potential problem that was identified no longer represents a risk. These are different questions. A combined CAPA system that applies one effectiveness review to both produces documentation that satisfies neither.

Building Trigger Criteria That Make PA a Real Process

The most direct fix for an underperforming preventive action process is defining, in writing, what actually triggers one. Here is a practical framework for building those criteria.

Tier 1 criteria trigger a preventive action automatically, without analysis. These include: quality risk assessment outputs that identify a high-severity, moderate-probability failure mode; internal audit findings that identify a systemic vulnerability with no current nonconformity; management review inputs showing a sustained negative trend in a key process metric; and near-miss events that reveal a systemic exposure.

Tier 2 criteria trigger a PA decision review, not an automatic opening. These include: two or more minor nonconformities in the same process area within a defined period; supplier performance data trending toward but not yet below the acceptance threshold; and post-market surveillance signals that do not rise to the level of a complaint but indicate a pattern.

The key difference from corrective action initiation criteria: PA triggers are forward-looking. They describe data patterns and risk signals, not confirmed failures. Defining them explicitly eliminates the dependence on individual judgment that causes PA to be perpetually undercounted.

What FDA Investigators Look for in CAPA Records

Under Compliance Program 7382.850, FDA investigators evaluating CAPA records are looking for several things that go beyond whether records are closed on time.

Evidence that preventive action is triggered by data, not by corrective actions. If every PA record in your system is linked to a CA event, investigators will note that no independent preventive action process is functioning. The expectation is that trend analysis, risk management outputs, and management review data feed the PA process independently.

Root cause investigation specificity. "Human error" as a root cause is not, by itself, a defensible conclusion for a systemic issue. Investigators expect to see specific causal factors identified, with corrective actions addressing those specific factors.

Effectiveness verification with objective evidence. A CAPA closed with "retraining completed" is not verified as effective unless follow-up data confirms that the nonconformity did not recur. Investigators look for the verification record and the data that supports it.

Connection between CAPA and management review. Management review is required to include CAPA status as an input under ISO 13485 Clause 5.6.2. If management review records do not reflect CAPA data and trends, that gap is visible during inspection.

Internal audit findings feeding the PA process. If your internal audit program identifies vulnerabilities that do not result in preventive action records, investigators will examine why. A finding with no PA attached is not automatically a problem, but a pattern of audit findings with no PA activity raises questions about whether the PA process is genuinely functioning.

How Cloudtheapp Supports Separate CA and PA Processes

Managing corrective action and preventive action as genuinely separate processes requires a quality system that enforces separate trigger criteria, separate record types, separate investigation workflows, and separate effectiveness verification steps. Attempting to manage this in a combined spreadsheet or a single document template produces exactly the documentation gaps that generate CAPA-related inspection findings.

Cloudtheapp's AI-powered, FDA-validated eQMS includes dedicated applications for corrective action and preventive action, each with configurable trigger criteria, defined required fields, workflow routing, and effectiveness review checkpoints. Because the platform is validated to 21 CFR Part 11 and ISO 13485:2016, every action in the system generates a timestamped audit trail that satisfies the record-keeping requirements both clauses demand.

The no-code Designer allows quality teams to configure their specific CA and PA trigger criteria directly into the workflow, so the system enforces initiation criteria consistently regardless of who is making the assessment. Trend data from nonconforming products, audit findings, and management review inputs feed directly into the PA process, eliminating the manual analysis step that most organizations skip.

For organizations currently managing CAPA in spreadsheets or a combined document system, Cloudtheapp's platform provides a structured, validated path to separation that does not require an implementation project or IT involvement. Request a demo to see how the CA and PA workflows operate in the context of your specific industry and device type.

Conclusion

Corrective action and preventive action are not two names for the same process. They have different triggers, different investigation requirements, and different documented outputs under ISO 13485:2016 Clauses 8.5.2 and 8.5.3. Under QMSR and the new FDA inspection framework, the expectation that both processes function independently is now enforceable at clause level, not just at the subsystem level of the legacy QSIT.

The debate about combined versus separate SOPs misses the real question. The question is whether your CAPA system produces documented evidence that preventive action is genuinely triggered by data, investigated against potential causes, and closed with effective risk reduction. If it does, the SOP format is defensible. If it does not, no SOP format protects you from an inspection finding.