What Is a CAPA — and Why Does the Format Matter?
CAPA stands for Corrective and Preventive Action. It is the structured process an organisation uses to respond to a problem — a nonconformity, a customer complaint, an audit finding, a deviation — by doing two distinct things: correcting the immediate occurrence, and preventing it from ever happening again.
Those two halves matter. A corrective action fixes what already went wrong: quarantine the bad batch, rework the defective unit, recall the affected lot. A preventive action changes the system so the same failure cannot recur: add a process control, install a poka-yoke, rewrite the SOP, retrain the operators. A CAPA that only corrects is firefighting. A CAPA that also prevents is improvement.
The reason the tracking format matters is that CAPA is not a single event — it is a workflow with a lifecycle, and most of the value leaks out between the stages. A problem gets logged but the root cause is never properly investigated. A corrective action gets done but the preventive action is forgotten. An action gets assigned but no one tracks the due date. The fix gets implemented but no one verifies it actually worked. A well-built CAPA tracker exists to close those gaps.
📋 Quick definition: A CAPA tracker (or corrective action log / CAPA register) is the single source of truth that moves each issue through the full lifecycle — Nonconformity → Root Cause → Corrective Action → Preventive Action → Verification → Closure — while keeping owners, due dates and effectiveness checks visible the whole way.
What’s Inside This CAPA Tracker Template
Search “CAPA template Excel” and you will find hundreds of free downloads. Almost all of them are the same thing: a flat list of columns with no logic behind them. They record CAPAs; they don’t help you manage them. This template was built to do the second thing.
It has six connected tabs:
| Tab | What it does |
|---|---|
| Dashboard | Live KPI cards (Total, Open, Overdue, Critical Priority), an ISO performance indicator strip, and six charts — all auto-updating from the register |
| Manager View | A one-screen executive briefing: headline KPIs, key charts, and live lists of the critical-priority and overdue CAPAs that need attention now |
| Register | The working log: 200 ready rows across the full CAPA lifecycle, with dropdowns, auto Risk Score, auto ageing flags, and column filters |
| Analytics | The helper tables behind the charts — CAPA by department, by month, root-cause Pareto, and average closure time |
| Instructions | The 8-step workflow, the Risk Score logic, the colour legend, and how to use the quick filters |
| Lists | The dropdown values and the numeric scoring weights — edit these to retune the whole tool to your organisation |
The features that separate it from a generic list:
- Automatic Risk Score & Priority — every CAPA is scored Severity × Likelihood × Detection and banded Low / Medium / High / Critical, so you triage by risk, not by date order
- Six analytics charts — status, priority, CAPA by department, CAPA by month (raised vs closed), root-cause Pareto (80/20), and average closure time
- ISO performance indicators — % closed on-time, average time-to-verify, number of reopened CAPAs, average closure time
- Conditional formatting — overdue turns red, due within 7 days turns amber, closed turns green, automatically
- Quick filters — slice the register by owner, site, standard, department or priority in one click
How to Use the CAPA Tracker — 8 Steps
Work each record left to right through the register. The tracker handles the calculations; you handle the thinking.
- Capture — Log the issue: CAPA ID, date raised, who raised it, department, site, applicable standard, source, and a clear problem description.
- Score the risk — Choose Severity, Likelihood and Detection from the dropdowns. The Risk Score and Priority band calculate automatically. Work Critical and High first.
- Find the root cause — Investigate why using 5-Why or Fishbone. Record the systemic root cause and tag its category (Method, Machine, Material, Man, Measurement, Environment). This tag feeds the Pareto chart.
- Define the corrective action — Fix this occurrence: containment plus correction.
- Define the preventive action — Change the system so it cannot recur. This is the part most teams skip — and the part that actually delivers improvement.
- Assign and track — Set owner, due date and status. The ageing flag auto-shows On-Track, Due Soon or OVERDUE.
- Verify effectiveness — Record the verified date and result. If the action was ineffective, mark it reopened and raise a follow-up. Time-to-verify calculates automatically.
- Close — Enter the closure date. The tracker logs whether it closed on-time or late and updates every KPI and chart.
✅ Tip: Only type in the white and grey cells. The blue-text columns — Risk Score, Priority, Days Open, Days-to-Verify and Ageing Flag — are formula-driven. Leave them alone and they stay accurate as you work.
The Risk Score — How Automatic Prioritisation Works
This is the feature that turns a passive log into a management tool. Every CAPA carries a numeric Risk Score calculated from three factors, each rated 1–4:
Risk Score = Severity × Likelihood × Detection (range 1–64, FMEA-style)
| Factor | What it measures | 4 (high) → 1 (low) |
|---|---|---|
| Severity | Impact if it occurs | Critical · Major · Minor · Observation |
| Likelihood | Probability of occurring | Almost Certain · Likely · Possible · Rare |
| Detection | How hard it is to catch before it reaches the customer | Very Hard · Hard · Moderate · Easy |
The Detection factor follows FMEA (Failure Mode and Effects Analysis) logic: a failure that is hard to detect scores higher, because an undetected failure is more dangerous than one your controls catch early. This is the same Risk Priority Number thinking used in automotive and medical-device quality systems — and it’s why this tracker prioritises differently from a simple severity list.
The score maps to a priority band that colour-codes automatically:
| Priority | Risk Score | What it means |
|---|---|---|
| Critical | 27 – 64 | Act now — safety, regulatory or recall exposure |
| High | 12 – 26 | Schedule this cycle — significant impact |
| Medium | 5 – 11 | Plan it in — limited but real impact |
| Low | 1 – 4 | Monitor — improvement opportunity |
Because the scoring weights live on the Lists tab, you can retune the model to your own risk appetite without touching a single formula. A medical-device manufacturer might weight Severity more heavily than a packaging plant — the tracker adapts to either.
What the ISO Standards Actually Require
CAPA is not optional for certified organisations. Three standards govern it, and they ask for broadly the same discipline.
| Standard | Clause | What it requires |
|---|---|---|
| ISO 9001:2015 | §10.2 Nonconformity & corrective action | React to the nonconformity, evaluate the need to eliminate the cause, implement action, review effectiveness |
| ISO 45001:2018 | §10.2 Incident, nonconformity & corrective action | Same discipline applied to health & safety incidents and hazards |
| ISO 14001:2015 | §10.2 Nonconformity & corrective action | Same discipline applied to environmental nonconformities |
| 21 CFR 820.100 | FDA Quality System Regulation | Documented CAPA procedures for medical-device manufacturers, including effectiveness verification |
Note the recurring phrase: review the effectiveness of the action taken. Auditors consistently find that organisations log corrective actions and close them without ever confirming they worked. That is why this tracker has a dedicated Verification column and a Time-to-Verify metric — the standard requires it, and it is the step most templates ignore.
⚡ ISO 9001:2015 §10.2 in plain language
When a nonconformity occurs, you must (a) react to control and correct it, (b) evaluate whether action is needed to eliminate the root cause so it doesn’t recur, (c) implement that action, (d) review its effectiveness, and (e) keep documented evidence of all of it. This tracker is built to produce exactly that documented evidence.
For the broader management-system context, see our ISO 45001 implementation guide. If your organisation is also navigating sustainability disclosure, our CSRD guide explains how quality and EHS data increasingly feed regulatory reporting.
The CAPA KPIs Worth Tracking
A CAPA programme that isn’t measured drifts. These are the indicators the dashboard calculates automatically — and the ones auditors and management reviews actually ask about.
| KPI | Why it matters | Healthy target |
|---|---|---|
| % closed on-time | Shows whether due dates are real or decorative | > 85% |
| Average time-to-verify | How long after action you confirm effectiveness | Trending down |
| Number of reopened CAPAs | Reopened = the first fix didn’t work — a root-cause quality signal | As low as possible |
| Average closure time | Overall responsiveness of the programme | Trending down |
| Open vs overdue | The backlog health check at a glance | Overdue near zero |
| Root-cause Pareto | Which 20% of causes drive 80% of your CAPAs | Concentrated, then shrinking |
The Pareto chart deserves special mention. By tagging each root cause with a category (Method, Machine, Material, Man, Measurement, Environment) and ranking them, the tracker shows you where to invest preventive effort for the biggest return. If 60% of your CAPAs trace to “Method,” the highest-leverage fix is your procedures — not another round of operator retraining.
Six Common CAPA Mistakes (and How This Template Prevents Them)
After enough audits, the same failure patterns repeat. Here are the most common — and how the tracker is designed to counter each.
- Treating the symptom as the root cause. “Operator made an error” is a symptom. Why was the error possible? The 5-Why / Fishbone column and the RC Category tag force the deeper question.
- Correcting without preventing. The single most common gap. Separate Corrective and Preventive Action columns make the omission visible — an empty preventive column is a red flag in plain sight.
- Never verifying effectiveness. ISO requires it; most logs skip it. The Verification column and Time-to-Verify KPI make it impossible to “close” a CAPA without addressing whether it worked.
- Prioritising by date instead of risk. The loudest complaint is not always the biggest risk. The automatic Risk Score puts a genuinely Critical issue above a noisy Minor one.
- Losing track of due dates. Actions quietly go overdue. The ageing flag turns amber at 7 days out and red when overdue — no manual chasing required.
- No trend analysis. A pile of closed CAPAs tells you nothing. The Pareto, monthly trend and reopened-count turn the log into insight about whether the system is actually improving.
💡 The bottom line: A CAPA log records problems. A CAPA tracker prioritises them, drives them to closure, verifies the fix, and shows you the trend. The difference is the logic behind the columns — and that’s exactly what this free template adds.
Related Resources & Tools
If quality and compliance management is part of a wider programme, these tools and guides connect directly to CAPA work:
- Intelex — enterprise EHSQ with ISO 9001/14001/45001 multi-standard CAPA management at scale
- ETQ Reliance (Octave) — configurable quality management with deep CAPA and nonconformance workflows
- MasterControl — validated CAPA for FDA 21 CFR 820.100 in life sciences
- SafetyCulture — frontline inspections and corrective actions from mobile
- Qualio — life-sciences QMS with built-in CAPA and effectiveness checks
- HSE KPI Dashboard (Excel) — the companion safety-metrics dashboard
- ISO 45001 Implementation Guide — where corrective action fits in your safety management system
This template is provided free by AiGreenTools for educational and operational use. It aligns to the cited standards but does not constitute certification or a guarantee of compliance — always validate against your own management system and regulatory obligations.

