Corrective and Preventive Actions

What mistakes the MDR is making and why you shouldn't be talking about CAPAs.

The FDA (in 21 CFR part 820 – QSR) and ISO 13485 differentiate between corrective actions, preventive actions and corrections.

Unfortunately, the MDR and IVDR do not clearly differentiate between these concepts. Some manufacturers also believe they can combine corrective and preventive actions into CAPAs. But this is just as imprecise as the lack of distinction between “corrections” and “corrective actions.”

This article defines the terms and helps you avoid deviations in audits and even illegal marketing of devices caused by this confusing terminology. It lists the regulatory requirements and uses examples to explain how to differentiate between the pairs “corrective action” and “correction” and “corrective action” and preventive action.”

Fig. 1: Corrections, corrective actions, preventive actions

1. Correction


ISO 9000 defines the term correction as follows:

Definition: Correction

“action to eliminate a detected nonconformity”

Source: ISO 9000:2015 3.12.2


Examples of corrections are:

  • Shortening a component that is too long
  • Fixing a software bug
  • Classifying a medical device in the right class

2. Corrective action

a) Corrective actions in ISO 9000 and ISO 13485


ISO 9000:2015 defines the term corrective actions as follows:

 Definition: Corrective action

“action to eliminate the cause of a nonconformity and to prevent recurrence”

Source: ISO 9001:2015 3.12.2

Therefore, the aim of a corrective action is to identify and eliminate not just nonconformities but also the causes of nonconformities that have already occurred and to ensure that such nonconformities do not occur again.


Colloquially, actions intended to ensure that a nonconformity does not occur again are often referred to as preventive actions. However, according to the definition, this is not a preventive action.

Examples of corrective actions

Examples of corrective actions include:

  • Changing an incorrect setting on a production machine, e.g., CNC milling machine, so that the component is the correct length in the future
  • Revising the coding guidelines after a software error to ensure the error (probably) does not re-occur
  • Establishing a new data protection strategy after a data loss
  • Making further training mandatory for persons before they classify devices
  • Automating the final inspection so that it is no longer possible to forget to document the results of the inspection

b) Corrective actions according to the MDR and IVDR

Unfortunately, the MDR has not adopted the definition of corrective action from ISO 9000 and ISO 13485:

Definition: Corrective action

“action taken to eliminate the cause of a potential or actual non-conformity or other undesirable situation;”

Source: MDR Article 2

This definition is very unfortunate because it mixes the elimination of the cause of a potential nonconformity and the elimination of the cause of an existing nonconformity. Elimination of a potential nonconformity is usually considered a preventive action.

Regrettably, the MDR and IVDR also use the term “field safety corrective action” in addition to the term “corrective action.”

 Definition: Field safety corrective action

“corrective action taken by a manufacturer for technical or medical reasons to prevent or reduce the risk of a serious incident in relation to a device made available on the market;”

Source: MDR Article 2(68)

Although neither the MDR nor the IVDR define the term preventive action, they do use it. But only in the phrase “corrective and preventive action.” Why this mixing of the two terms is a problem is explained later in this article.

3. Preventive action


ISO 9000:2015 and ISO 13485 do define the term preventive action:

Definition: Preventive action

“action to eliminate the cause of a potential nonconformity or other potential undesirable situation.”

Source: ISO 9000:2015 3.12.1

Interestingly, ISO 9000:2015 defines the term, but ISO 9001:2015 no longer requires any preventive actions.

Examples of preventive actions

Preventive actions are aimed at avoiding future nonconformities that have not yet occurred.

These actions can relate the design of a device to improve its safety, e.g.:

  • Selecting another material or other components
  • Using a more legible font on a user interface
  • Introducing an input value range check
  • Restricting the intended purpose
  • Changing the system architecture, e.g., introducing a watchdog

Other actions might relate to quality management, e.g.:

  • Ensuring better qualification of employees
  • Improving a process, such as the development process
  • Introducing additional code reviews
  • Revising a checklist for reviewing software requirements
  • Introduction of a new metric for static code analysis

If you were to take one of these actions to prevent a nonconformity that has already occurred from occurring again in the future, these actions would not be preventive actions, they would be corrective actions. In another words:

you can’t take a preventive action if the problem has already occurred. If, after a problem has occurred, you want to make sure it doesn't occur again, that would be a corrective action not a preventive action, even though both have the same aim: to prevent a future problem.

Because most manufacturers only react when problems occur, there are a lot of corrective actions and not many preventive actions.

4. Regulatory requirements for corrective and preventive actions

a) ISO 13485

In section 8.5 (“Improvement”), ISO 13485 requires both corrective actions (section 8.5.2 “Corrective action”) and preventive actions (section 8.5.3 “Preventive action”).

Manufacturers must define processes and keep records for them and provide an explanation if they do not take any corrective or preventive actions in response to a customer complaint.

b) FDA

The FDA requires corrective and preventive actions in 21 CFR part 820.100. The requirements are essentially the same as those in ISO 13485.

c) MDR

The MDR and, likewise, the IVDR establish requirements for corrective and preventive actions. These include:

  • The QM system must cover these actions (Article 10)
  • This system must be audited by the notified bodies
  • Manufacturers must implement necessary corrective actions (Article 10)
  • Distributors, importers and authorized representatives must cooperate with this process
  • Manufacturers must report field safety corrective actions to the authorities
  • They are also obliged to decide which corrective and preventive actions are necessary using post-market data (e.g., Article 83 et seq.)
  • In the case of clinical investigations, sponsors must report corrective actions

5. The CAPA problem

The term CAPA stands for “corrective action and preventive action.” However, this combining of the two types of action is problematic for several reasons.

a) Problems with standard operating procedure

Some companies create a standard operating procedure (SOP) with the title “CAPA” and use this SOP to establish a common procedure for both corrective actions and preventive actions. However, you can’t only have one procedure because the two differ in several aspects, for example:


The employee suggestion scheme, the list of future standards and laws or technological trends indicate future and potential nonconformities. They are not really sources of information that report existing nonconformities whose causes the manufacturer needs to address with a corrective action.

Activities and roles

A corrective action requires different or additional activities and, in some cases, roles than a preventive action:

  • A root cause analysis is only required for corrective actions
  • A decision on whether the authorities have to be notified usually only has to be taken for corrective actions

Regulatory requirements

ISO 13485 has very precise requirements for handling nonconformities. This means that manufacturers have less freedom when it comes to corrections and corrective actions than they do with preventive actions.

If the MDR and IVDR had adopted the definitions contained in ISO 13485, we wouldn’t need to consider whether corrective actions as defined by the MDR are the same as corrective actions and preventive actions combined as defined by ISO 13485.

b) Problem with “non-significant changes”

The MDR grants transitional periods for “non-significant changes.” However, according to the MDCG, what is considered a non-significant change depends on whether it is related to a corrective action.

Fig. 2: Extract from MDCG document defining when a design change is “non-significant” This is the case for corrective actions. And for preventive actions?

Do preventive actions now also have to be considered “non-significant design changes”? This would open a whole range of possibilities for manufacturers. Or does the MDR now make a precise distinction between corrective and preventive actions?

Precise definitions of terms and consistent use of these terms would prevent such discussions.

6. Conclusion

The clear separation of corrections, corrective actions and preventive actions makes sense and manufacturers should pay attention to it. The fact that the EU regulations (MDR, IVDR) of all things destroy this conceptual integrity is annoying.


Prof. Dr. Christian Johner


A quick overview: Our


Learn More Pfeil_weiß

Always up to date: Our


Learn More Pfeil_grau