Introduction
Failure investigations are the point at which a medical device manufacturer’s quality system either demonstrates genuine effectiveness or reveals its gaps. An FDA inspection evaluates not just whether procedures exist, but whether those procedures produce thorough, timely, and documented investigations that lead to real corrective and preventive actions.
This guide is for quality managers, regulatory affairs professionals, and operations leaders at medical device manufacturers operating under 21 CFR Part 820 (which transitions to the Quality Management System Regulation, or QMSR, effective February 2, 2026). It covers the regulatory framework for failure investigations, the step-by-step process for conducting them, the connection to Medical Device Reporting (MDR) obligations, common failures that generate FDA Warning Letters, and what effective CAPA looks like in practice.
The central principle of failure investigation under FDA regulation is simple to state and difficult to execute: you must identify the root cause, not just the proximate cause, and your corrective action must address that root cause in a way that can be verified as effective.
Fundamental Concepts
What triggers a failure investigation?
Under 21 CFR Part 820, failure investigations are triggered by several types of quality events:
Complaints: Under 21 CFR 820.198 (Complaint Files) and the equivalent QMSR/ISO 13485 Clause 8.2.2, manufacturers must review, evaluate, and investigate any complaint involving the possible failure of a device, labelling, or packaging to meet any of its specifications. Complaints received must be reviewed by a formally designated unit.
Out-of-specification (OOS) results: In-process and finished product test results that fall outside established specifications trigger investigation requirements. As with pharmaceutical OOS investigations, passing a retest does not close an OOS without a proper investigation into the original result.
Nonconforming product: Discovery of product that does not meet specifications at any stage triggers nonconformance procedures, which feed into CAPA.
Adverse event/MDR events: Malfunctions, serious injuries, or deaths involving a device may trigger both an internal investigation and an MDR report to FDA (covered separately below).
Internal audit findings: Systematic deficiencies identified during internal audits may require formal CAPA depending on their nature and scope.
Trend data: A pattern of complaints, nonconformances, or service calls that individually may not trigger formal investigation but collectively indicate a systemic problem should trigger CAPA under the trend analysis requirements of 21 CFR 820.100(a)(1).
What is CAPA?
Corrective and Preventive Action (CAPA) is the systematic process by which manufacturers investigate the root cause of a quality problem and implement changes to address it. Corrective action addresses problems that have already occurred. Preventive action addresses the risk of problems occurring in the future based on identified potential causes.
CAPA is mandated by 21 CFR 820.100 and is one of the most consistently cited areas in FDA medical device inspections. CAPA failure was the number one cited observation for companies receiving Official Action Indicated (OAI) designations from FDA inspections in 2024, according to FDA enforcement conference data from December 2024.
Step-by-Step: Conducting a Failure Investigation
Step 1: Identify and document the event
All complaints, nonconformances, and potential failure events must be captured and documented at intake. The documentation should record: what was reported, when it was reported, who reported it, what device or lot is involved, and any immediate information available about the nature of the failure.
Timeliness matters at this step. Under MDR regulations (21 CFR 803), certain events involving death, serious injury, or malfunction must be reported to FDA within specific timeframes (30-day reports for most events, 5-day reports for events that require immediate remedial action). The investigation clock starts when the manufacturer becomes aware, not when the investigation is formally opened.
Step 2: Assess whether a formal investigation is required
Not every complaint or nonconformance requires the same depth of investigation. The degree of investigation should be commensurate with the significance and risk of the nonconformity, per 21 CFR 820.100(a)(2). A low-risk cosmetic packaging issue may require less investigation than a functional malfunction report that triggered an adverse event.
The assessment should be documented. If a manufacturer determines that a complaint does not require formal investigation because a similar investigation was previously conducted, that determination must be documented with justification referencing the prior investigation, per 21 CFR 820.198(c).
Step 3: Determine scope and containment
Before root cause analysis begins, the investigation should define its scope: which products, lots, processes, or sites are potentially affected. This scope assessment is frequently missing or inadequate in FDA-cited investigations.
A July 2024 Warning Letter issued to Jiangsu Caina Medical Co., Ltd. illustrates this gap directly. FDA found that after the manufacturer confirmed pump incompatibility in one syringe size, it failed to assess whether the same incompatibility risk applied to other syringe sizes marketed under the same brand. FDA concluded that this failure “may have contributed to a delay in recognition that the risk of incompatibility applied to additional sizes.” Incomplete scope assessment is not a minor procedural gap; it can delay recognition of a safety risk that affects a broader patient population.
Step 4: Conduct root cause analysis
Root cause analysis (RCA) is the technical core of a failure investigation. The objective is to identify not just what happened, but why it happened at a level that is specific enough to drive an effective corrective action.
Common RCA methodologies used in medical device quality systems include the 5 Whys (iterating through causal layers until a systemic root cause is identified), fishbone/Ishikawa diagrams (mapping potential causes across categories such as equipment, methods, materials, people, environment, and measurement), and fault tree analysis (for complex, multi-factor failure modes).
The Greenlight Guru framework for RCA in regulated manufacturing identifies six steps: create a problem statement based on data, determine causal factors, identify the root cause from those causal factors, decide corrective actions, evaluate the RCA process, and make improvements as necessary. The key point is that root cause is not the same as contributing factor. A single investigation may identify multiple contributing factors but should identify one or more root causes that, if addressed, prevent recurrence.
Categories to consider systematically in medical device failure investigations include: – Laboratory controls and test method limitations – Process variability and process controls – Raw materials and supplier controls – Equipment and facility conditions – Contamination routes – Human factors and training adequacy – Design factors (if the failure involves a design characteristic)
Step 5: Implement corrective and preventive actions
Based on the root cause, define specific corrective actions (addressing what happened) and preventive actions (addressing the risk of similar events in the future). Each action should have a defined owner, a completion date, and a verification method.
The CAPA procedure under 21 CFR 820.100 and ISO 13485 requires that corrective and preventive actions be verified or validated prior to implementation where possible, and that changes resulting from CAPA be documented in controlled documents (SOPs, work instructions, specifications, etc.).
Actions that are defined but not implemented, or implemented but not documented in the controlled document system, are a common source of repeat inspection findings.
Step 6: Verify effectiveness
Verification of Effectiveness (VoE) is the step that most frequently gets skipped or treated as a formality. The VoE check confirms that the corrective action actually prevented recurrence of the original problem. It requires a defined time period, defined criteria for success (often a measurable reduction in complaint rate, OOS rate, or nonconformance rate), and documented evidence of the outcome.
Under 21 CFR 820.100(a)(6), manufacturers are required to verify or validate corrective and preventive actions to ensure that such actions are effective and do not adversely affect the finished device. “Closed” CAPAs with no VoE documentation are a red flag in FDA inspections.
Step 7: Close the investigation and update records
Once the CAPA is implemented and effectiveness is verified, the investigation file should be closed with a documented summary of findings, root cause, actions taken, and effectiveness verification outcome. The Device History Record (DHR), Device Master Record (DMR), and any affected controlled documents should reflect any changes made.
Under 21 CFR 820.198 for complaints, investigation records must be maintained at the manufacturing establishment or a designated location and be available for review by FDA during inspections.
Requirements and Considerations
Medical Device Reporting (MDR) obligations
Failure investigations and MDR obligations are closely connected but are separate processes. Under 21 CFR Part 803, device manufacturers must report to FDA:
- Within 30 calendar days of becoming aware of information that reasonably suggests a device malfunction would be likely to cause or contribute to serious injury or death if it were to recur.
- Within 5 calendar days when a malfunction requires immediate remedial action to prevent unreasonable risk of substantial harm to the public health, or when FDA requests a 5-day report.
The internal investigation does not need to be complete before an MDR is submitted if the required information is not yet available. Initial MDRs can be submitted with available information and supplemented as the investigation progresses.
Importantly, the complaint handling and investigation records that support MDR decisions are inspectable by FDA under 21 CFR 803.18. Manufacturers should ensure that the link between a complaint record, its investigation, and any MDR filed is clearly traceable in the quality system.
QMSR transition considerations
The QMSR, effective February 2, 2026, incorporates ISO 13485:2016 by reference into 21 CFR Part 820. For complaint handling and CAPA, the substantive requirements are largely harmonised, but manufacturers should review: – ISO 13485 Clause 8.2.2 for complaint handling requirements – ISO 13485 Clause 8.5.2 for corrective action requirements – ISO 13485 Clause 8.5.3 for preventive action requirements
Procedures written for the current 21 CFR 820 QSR should be reviewed against ISO 13485 language to ensure alignment before the February 2026 effective date.
Common Mistakes
| Mistake | Why it matters |
|---|---|
| Closing OOS results based on passing retests without investigation | FDA’s consistent position: a retest cannot invalidate an OOS result without a formal investigation into its cause |
| Scope limited to the specific lot or complaint without assessing broader impact | Failure to assess whether the root cause affects other products or sites is a recurring Warning Letter finding |
| Root cause stated as “human error” without further analysis | “Human error” is almost always a symptom of a systemic failure in training, procedure, or process design |
| CAPA defined but not implemented in controlled documents | A CAPA that doesn’t change a procedure, work instruction, or specification has not addressed a systemic root cause |
| Verification of Effectiveness not completed or documented | VoE is a regulatory requirement, not optional; closed CAPAs without VoE documentation are inspection findings |
| Trend data not analysed to trigger CAPA | Complaints or nonconformances that individually don’t meet investigation thresholds but collectively indicate a pattern require CAPA initiation |
Advanced Considerations
Supplier-related failure investigations
When a failure investigation identifies a raw material, component, or contract manufacturing issue as a contributing or root cause, the investigation must extend to the supplier relationship. Under 21 CFR Part 820 and ISO 13485, manufacturers are responsible for qualifying and monitoring their suppliers and cannot outsource their quality obligations.
Supplier CAPAs (where the corrective action is assigned to a supplier) must be tracked and verified by the device manufacturer, not just accepted on the supplier’s assurance.
Design-related failures
If a failure investigation identifies a design characteristic as a root cause or contributing factor, a design change may be required. Design changes for marketed devices require a design verification and validation process, risk management review under ISO 14971, and submission to FDA if the change is significant under 21 CFR 807 (510(k)) or 814 (PMA) requirements. Failure to involve the regulatory affairs function in investigations that implicate design is a common gap.
CAPA system assessment from FDA's perspective
FDA’s inspection approach to CAPA is explicitly systemic: investigators verify that appropriate sources of product and quality problems have been identified, data from those sources are analysed for existing and potential causes, investigations determine root causes, corrective actions are implemented, and effectiveness is verified. A site can have dozens of completed CAPA records and still fail this assessment if the system as a whole does not function as described.
Frequently Asked Questions
Does every complaint require a formal investigation? No. 21 CFR 820.198 requires investigation of complaints involving possible failure of a device to meet specifications, but allows that a new investigation is not required if a similar investigation was previously conducted. The decision not to investigate must be documented with justification.
Can an MDR be submitted before the investigation is complete? Yes. If all required MDR information is not yet available, the report should be submitted with available information and the remaining fields completed as the investigation progresses (supplemental MDR).
What is the difference between a corrective action and a preventive action? Corrective action addresses a problem that has occurred: it eliminates the cause of an existing nonconformity. Preventive action addresses a potential problem that has not yet occurred: it eliminates the cause of a potential nonconformity. Both are required under 21 CFR 820.100.
Does the QMSR change CAPA requirements materially? Not substantially. ISO 13485 Clauses 8.5.2 and 8.5.3 align closely with the current 21 CFR 820.100 requirements. Manufacturers should verify their procedures reference the relevant ISO clauses and that their language is consistent with ISO 13485 requirements.
Who is responsible for the failure investigation? The Quality Unit has oversight responsibility, but investigations typically involve cross-functional teams including quality, operations, engineering, and often supplier quality. The Quality Unit must approve and close investigations.
Related Resources
- A Situational walkthrough of how an investigation team should respond when an OOS result is followed by a passing retest.
- An Insights analysis of CAPA failure patterns in FDA inspections across regulated industries in 2024.
- A Law overview of Medical Device Reporting requirements under 21 CFR Part 803.
- FDA QMSR Final Rule (February 2, 2024)
Summary
Effective failure investigations require a system that consistently identifies, scopes, and analyses failures to their root cause, implements corrective and preventive actions in the controlled document system, and verifies that those actions are effective. The most common gaps are scope limitation (not assessing broader impact), root cause superficiality (stopping at proximate cause), and VoE failure (closing CAPAs without documented effectiveness evidence).
With the QMSR taking effect in February 2026, manufacturers should ensure their investigation and CAPA procedures align with ISO 13485 language while preserving compliance with US-specific requirements including MDR reporting obligations. The underlying expectation has not changed: when something goes wrong, find out why, fix the system, and prove it worked.
Sources
- eCFR, “21 CFR Part 820: Quality Management System Regulation”
- SimplerQMS, “FDA 21 CFR Part 820 Quality System Regulation: Definition, Requirements, Key Changes”
- Enlil, “21 CFR Part 820 Explained: A Complete Guide”
- FDA, “Warning Letter: Jiangsu Caina Medical Co., Ltd.” (July 2024)
- Compliance Architects, “Navigating the CAPA Conundrum: Problem Statements and More” (December 2024)
- Greenlight Guru, “Understanding Root Cause Analysis in the CAPA Process”
- The FDA Group, “Corrective and Preventive Action (CAPA): The Definitive Guide” (2026)
- MasterControl, “Corrective and Preventive Action (CAPA)”
- Synectic, “FDA 21 CFR Part 820: Quality System Regulation for Medical Devices”
- ComplianceOnline, “The Fundamentals of Medical Device Complaint Handling”