FAQ

How long should CAPAs remain open before escalation or management review?

Quality, Compliance and TraceabilityNonconformance, MRB and CAPA (NCR)Non-Conformance and CAPA

There is no universal number of days that CAPAs should remain open before escalation or management review. Expectations are set by your own QMS procedures, risk level, and regulatory context. What auditors and customers look for is that you:

  • Define timeframes and escalation rules in controlled procedures
  • Apply them consistently
  • Have traceable justification when you exceed targets

Typical timeframes used in regulated operations

Many aerospace and other regulated manufacturers use a tiered, risk-based approach:

  • Low risk / minor issues: target closure in 60–90 days, with escalation if overdue by 30 days or more.
  • Medium risk: target closure in 30–60 days, with earlier escalation (for example, overdue by 15–30 days).
  • High risk / safety or compliance critical: containment within 24–72 hours, with defined short milestones (for example, interim actions in 7–14 days, full CAPA in 30–45 days) and rapid escalation if any milestone slips.

These numbers are reference ranges, not requirements. Your actual limits should reflect product risk, customer requirements, and your ability to execute robust investigations without superficial fixes.

What should trigger escalation?

Escalation triggers should be explicit in your CAPA procedure and implemented in your QMS, MES, or tracking tools. Common triggers include:

  • Approaching due date: automated alerts (for example, 7–14 days before due date) to owners and functional leaders.
  • Exceeded due date: mandatory escalation to quality leadership or a cross-functional review board on or shortly after the due date.
  • Repeated extensions: additional approvals (for example, QA or management) once a CAPA has been extended more than once.
  • High-risk content: immediate visibility for CAPAs linked to safety, regulatory findings, or major customer escapes, regardless of age.
  • Systemic patterns: escalation when multiple overdue CAPAs occur in the same process, cell, or supplier, even if each is only slightly late.

In practice, many sites differentiate between operational escalation (to functional managers and quality) and formal management review (as part of scheduled management review meetings). Both need clear rules.

Linking CAPA age to management review

Most quality systems do not send each overdue CAPA directly to top management. Instead, they:

  • Track CAPA aging metrics (for example, average days open, number >90 days, number with multiple extensions).
  • Include those metrics as inputs to periodic management review (for example, quarterly or semi-annual).
  • Drill into critical or very old CAPAs (for example, >120 or >180 days) as specific discussion items.

In some regulated environments, procedures explicitly state that CAPAs exceeding a certain age (for example, 90 or 120 days) must either be:

  • Closed with documented evidence, or
  • Formally justified, re-risk-assessed, and approved at a defined management level.

Constraints and tradeoffs when setting timeframes

The right escalation timing depends on several factors that vary by plant:

  • Complexity of root cause analysis: Deep investigations (equipment qualification issues, multi-site problems, software changes, supplier redesigns) can legitimately exceed 90 days.
  • Brownfield system constraints: Legacy QMS or MES tools may not support flexible alerts or dashboards, requiring procedural workarounds or manual tracking.
  • Regulatory and customer expectations: Aerospace primes and regulators scrutinize very old CAPAs, especially if they relate to repeat findings. Aggressive deadlines with superficial fixes can be worse than well-justified, longer investigations.
  • Resource limits: Plants with limited quality engineering capacity may need more conservative commitments and stronger prioritization to avoid many CAPAs aging simultaneously.

Overly tight deadlines can drive shallow root cause analysis and ineffective actions. Overly loose or undefined timelines create audit and recurrence risk. A risk-based approach with documented rationale is generally more defensible than a one-size-fits-all number.

Practical pattern for most aerospace-grade environments

A common, defensible approach is:

  1. Define default targets by risk category (for example, 30/60/90 days) and document them in the CAPA procedure.
  2. Configure your systems (QMS, MES, or other tools) to generate alerts well before due dates and to flag overdue CAPAs in dashboards.
  3. Require formal justification and approval for any due date extensions, with updated risk assessment and interim controls documented.
  4. Include aging metrics and very old CAPAs as standard inputs to management review, not only reactive escalations.
  5. Ensure traceability so that any auditor or customer can see the history of assignments, extensions, risk assessments, and approvals.

In brownfield environments, this usually means integrating CAPA tracking with existing QMS records, NCR systems, and MES logs rather than replacing everything. Full system replacement is often difficult to justify given validation costs, downtime risk, and integration complexity.

What matters most to auditors and customers

Across different plants and systems, the specific number of days is less important than being able to demonstrate that:

  • You have clear, written criteria for CAPA timelines and escalation.
  • You follow those criteria in practice, with evidence in the records.
  • High-risk problems receive faster attention and appropriate interim controls.
  • Long-open CAPAs are actively managed, not forgotten backlog items.

If your current process leaves many CAPAs open for long periods without clear rationale or visibility, the priority should be to tighten governance and monitoring, then adjust timeframes based on real execution capability and risk.

Related Blog Articles

ISO 22400 for Aerospace and MRO: Standard KPIs in Highly Regulated Operations

How aerospace manufacturing and MRO organizations can apply ISO 22400 KPI definitions to standardize performance language while meeting strict traceability, regulatory, and turnaround requirements.

ISO 22400 Scope and Limits: Where Strategy Begins and the Standard Ends

ISO 22400 standardizes how manufacturing KPIs are defined and structured, but it deliberately stops short of telling aerospace plants which KPIs to use, what targets to set, or how to run performance programs. Understanding these boundaries is essential for building a standards-aligned KPI framework that still reflects your own strategy, risk profile, and regulatory obligations.

Building ISO 22400-Aligned Data Models for Connected Manufacturing

How to design ISO 22400-aligned data models that unify ERP, MES, SCADA, and historians into a consistent KPI layer for aerospace manufacturing.

DFARS CMMC Clauses Are Now an Execution Problem, Not Just an IT Problem

DFARS CMMC clauses formalize cybersecurity as a contract condition, but the work happens on the shop floor: evidence, training, access, change control, and traceability. Here is how to frame CMMC and NIST 800-171 evidence so audits do not collide with manufacturing reality.

Get Started

Built for Speed, Trusted by Experts

Whether you're managing 1 site or 100, C-981 adapts to your environment and scales with your needs—without the complexity of traditional systems.

Request a Demo
Explore Solutions

product

Shopfloor OperationsSupply Chain & ProcurementMROSolutions

Resources

BlogCommunitySecurity & ComplianceAPI & Integrations

About

About UsPrivacy PolicyCookie PolicyTerms of ServiceContact Us

© 2026 C981. All rights reserved.