ISO 13485 CAPA in 2026: What Medical Device Makers Must Have Before Their Next Audit

CAPA deficiencies are the most cited finding in ISO 13485 surveillance audits — and in FDA and Health Canada inspections. Here is what your system must demonstrate to satisfy current audit expectations.

Why CAPA Deficiencies Keep Appearing on Audit Reports

Corrective and Preventive Action (CAPA) deficiencies have ranked among the top three findings in ISO 13485 surveillance audits, FDA inspections, and Health Canada medical device establishment licence (MDEL) reviews for over a decade. The persistence of CAPA findings across regulatory frameworks and years of industry attention is not accidental — it reflects a structural tension in how quality teams approach CAPA that no amount of procedural documentation fully resolves.

The tension is this: CAPA as a compliance activity is well understood. CAPA as a quality intelligence function — capable of identifying systemic failure patterns before they manifest as regulatory findings or recall events — is far less commonly achieved. Audit findings on CAPA almost universally target the second dimension. Investigators are not asking whether you have a CAPA procedure. They are asking whether your CAPA process is actually working to improve your quality system.

This guide examines what ISO 13485:2016 Clause 8.5.2 actually requires, where quality systems most commonly fail those requirements, and what practices distinguish CAPA programs that satisfy surveillance audits from those that generate repeat findings.

What ISO 13485:2016 Clause 8.5.2 Actually Requires

ISO 13485:2016 Section 8.5.2 establishes requirements for corrective action — actions taken to eliminate the cause of nonconformities and prevent recurrence. Section 8.5.3 addresses preventive action — actions taken to eliminate the causes of potential nonconformities before they occur.

The standard requires that the organization:

a) Review nonconformities (including customer complaints) b) Determine the causes of nonconformities c) Evaluate the need for action to ensure nonconformities do not recur d) Plan and implement appropriate action e) Record the results of any investigation and actions taken f) Review the effectiveness of corrective action taken

Each of these steps is assessable in an audit — and each generates a distinct category of finding when inadequately implemented.

Step (b) — Root cause determination — generates by far the most findings. ISO 13485 requires that root causes be determined, not merely that potential contributing factors be listed. The distinction matters. "Operator error during final inspection" is a contributing factor, not a root cause. It does not explain why the operator made the error, which of the following is responsible: inadequate work instruction clarity, insufficient training verification, inspection criteria ambiguity, measurement system inadequacy, or process design factors that create error-prone conditions. An investigation that stops at the contributing factor level fails to satisfy Clause 8.5.2(b) and, more importantly, fails to prevent recurrence.

Step (f) — Effectiveness review — generates the second-largest category of findings. Effectiveness review requires verifying that the action taken actually eliminated the cause of the nonconformity. This is not the same as verifying that the action was implemented. An audit finding that reads "effectiveness verification confirms the procedure was updated but does not verify the procedural change eliminated the original error mode" is a real and common observation.

The Four Root Cause Failures That Generate Repeat Findings

Failure 1: Stopping at the symptom level

The most common root cause investigation failure is confusing the symptom (what happened) with the cause (why it happened). "Test equipment was out of calibration" is a symptom. "The calibration recall system did not generate a hold notice for equipment due for calibration on the production date in question" is a contributing cause. "The calibration management software parameter for hold notice generation was set to notify only the calibration laboratory, not production scheduling, and production scheduling had no independent visibility into calibration status" is closer to a root cause.

Investigators applying the 5-Why method with genuine rigor will typically reach the actual systemic cause by the fourth or fifth "why." Investigations that stop at the second or third "why" consistently generate repeat CAPA findings.

Failure 2: Scope limited to the incident rather than the system

A nonconformity reveals an exposure. The investigation scope should address not just the specific event but the broader system that permitted it: Are there other products, processes, or equipment where the same failure mode could occur? Are there similar conditions in other facilities or shifts? This systemic scope question — required by both ISO 13485 and FDA's QMSR — is frequently absent from CAPA records.

Failure 3: Action selected without reference to the root cause

Corrective actions that address a root cause different from what the investigation identified produce exactly the outcome you would expect: the root cause remains, and the nonconformity recurs. If the investigation concludes that the root cause is a measurement system inadequacy but the corrective action is additional operator training, the action does not address the cause. This pattern appears more often than it should, particularly when the actual root cause implicates a capital investment or process redesign that quality teams are reluctant to recommend.

Failure 4: Effectiveness review conducted too soon or with inadequate scope

Effectiveness review conducted within days of implementing a corrective action — before sufficient production data is available — cannot demonstrate that the root cause has been eliminated. Effectiveness review limited to confirming the action was implemented does not satisfy the standard. Current audit expectations require effectiveness review to demonstrate, with evidence, that the failure mode has not recurred over a meaningful production or time period relevant to the process.

FDA QMSR 2026 and Health Canada MDR: CAPA Crosswalk

The FDA's Quality Management System Regulation (QMSR), effective February 2, 2026, formally harmonizes 21 CFR Part 820 with ISO 13485:2016. For CAPA specifically, QMSR Section 820.100 now explicitly references and incorporates the ISO 13485:2016 Clause 8.5.2 and 8.5.3 framework. FDA inspection criteria for CAPA are therefore now formally aligned with ISO 13485 expectations — which means manufacturers maintaining a single CAPA system to both standards are meeting their regulatory obligations, provided that system genuinely satisfies ISO 13485 Clause 8.5.2.

Health Canada's Medical Devices Regulations (SOR/98-282) do not prescribe CAPA in the same procedural detail as ISO 13485, but Health Canada's quality system requirements for MDEL holders implicitly require CAPA capability as a component of the quality management system. In practice, Health Canada's Compliance and Enforcement Branch inspects CAPA records against ISO 13485:2016 expectations for manufacturers already ISO-certified. For manufacturers not ISO-certified, Health Canada evaluates CAPA capability against functionally equivalent criteria drawn from IMDRF guidance.

What Auditors Are Looking For in 2026

Surveillance audit practice has evolved. In 2026, experienced ISO 13485 auditors are not primarily looking at CAPA procedure documentation — they are sampling CAPA records and asking four questions:

1. Is the root cause plausible and deep enough? Does the investigation explanation actually account for the failure mode in terms of system conditions, not just individual actions?

2. Is the action appropriate to the root cause? Is there a logical connection between what was found and what was done?

3. Was the action implemented as planned? Is there objective evidence of implementation?

4. Did the action work? Is there data — not just assertion — that the nonconformity did not recur?

A CAPA program that can answer all four questions with objective evidence for its highest-risk nonconformities is a CAPA program that will not generate major findings in surveillance.

AI-Assisted Quality Systems and CAPA Escape Prevention

The category of quality risk that CAPA programs historically manage poorly is the "escaped" signal — a complaint pattern or field data trend that crosses a threshold warranting CAPA initiation but is not recognized as such by complaint management processes operating on a queue basis.

AI-assisted quality management platforms apply signal detection models to complaint, field service, and adverse event data continuously — identifying complaint velocity inflections and pattern clusters that manual monthly complaint review misses. For ISO 13485 compliance purposes, this changes the nature of the CAPA trigger: instead of CAPA opening reactively after a nonconformity becomes visible in aggregate data, CAPA opens when signal patterns suggest a systemic issue before volume reaches a threshold that would warrant investigation under traditional processes.

Manufacturers using AI-assisted complaint monitoring consistently report earlier CAPA initiation — often 8–14 weeks earlier than comparable manufacturers relying on manual trending. Earlier CAPA initiation means narrower scope, lower correction cost, and in medical devices, the potential to initiate a Field Safety Corrective Action proactively rather than in response to a regulatory demand.

---

SuperRecall.ai helps medical device manufacturers build AI-assisted post-market surveillance systems that surface CAPA signals earlier and support ISO 13485:2016 compliance. To see how our platform supports your CAPA program and audit readiness, request a demonstration or explore our medical device recall capabilities.