Compliance, Quality & Risk / CAPA (Corrective / Preventive Action)

CAPA Lifecycle & Closure Tracker

Build your own internal tool that walks every CAPA through containment, root cause, corrective and preventive actions, implementation, and effectiveness verification - with required evidence and manager sign-offs at each gate so a CAPA can never be closed with steps skipped.

IntermediateA weekendBuilds onNext.js (App Router) on VercelSupabase (Postgres + Storage + Auth with RLS)Resend (email notifications)

What you'll build

A login-protected CAPA tracker where owners advance each CAPA stage-by-stage with required evidence, the quality manager approves every gate, closure is blocked until effectiveness is verified and approved, and the complete CAPA record exports to CSV/PDF for auditors.

Before you start

A free Supabase account
A free Vercel account
A free Resend account (or any email you can verify)
Your list of open CAPAs in a Google Sheet or CSV (or an intake tool that exports one)

The problem this kills

CAPAs go off the rails in the gaps between stages. A corrective action gets logged before anyone nailed the root cause. A CAPA gets marked "closed" because the action was done - not because anyone checked whether it actually worked. Due dates slip quietly inside a spreadsheet nobody opens. And when the auditor asks "show me the evidence and the sign-offs for CAPA-0142," you're reconstructing a story from email threads and memory.

The real failure isn't a single missed step. It's that nothing in your current process physically stops a CAPA from advancing - or closing - before its prerequisites are met. Spreadsheets don't enforce. People are busy. Stages get skipped, and you only find out during the audit.

This tool makes the discipline structural. A CAPA cannot move to "Corrective Action" without a documented root cause. It cannot close without verified effectiveness evidence the quality manager has approved. The rules live in the tool, not in someone's head.

What you'll build

A small, login-protected web app where:

Open CAPAs land in one place - imported from your CSV/Sheet (number, source, description, owner, due dates) or your intake tool, deduped by CAPA number so the same one can't enter twice.
Each CAPA moves through defined stages - Containment, Root Cause, Corrective Action, Preventive Action, Implementation, Effectiveness Verification, Closed - and each stage demands its own required fields and evidence before it will let go.
Owners submit, the quality manager approves. Every stage transition is a two-step gate: the owner submits the stage with evidence, the manager reviews and approves. Nothing advances on one person's say-so.
Closure is locked behind verification. The final gate requires effectiveness evidence the manager explicitly approves. No verified effectiveness, no closure - the button simply isn't available.
Due dates are tracked per stage, so an overdue Root Cause is visible long before it becomes an overdue CAPA.
Everything is logged - who did what, when, with what evidence - and the complete record exports to CSV and a print-ready PDF for auditors.

What's inside the Implementation Plan

The plan is a single markdown file you paste into Claude Code (a free AI coding agent). It builds the whole tool with you, step by step, in plain language - no prior coding needed.

It opens by interviewing you about your business. Before a line of code is written, the plan has the AI ask you about your real CAPA process: how you name and number CAPAs, which stages your quality system actually uses, what counts as acceptable evidence at each gate, who submits and who approves, your typical and peak CAPA volumes, your per-stage due-date rules, and the messy exceptions (emergency CAPAs, CAPAs that reopen, multi-site ownership). Then it reads a short tailored spec back to you and waits for your thumbs-up. You get a tool shaped to how you run quality - not a generic template you have to bend yourself around.

Inside you'll find:

The discovery interview and how your answers reshape the data model and the stage rules.
A clear definition of done so you know exactly when you're finished.
The exact accounts to set up and how to wire them together.
The build in copy-paste steps - each step ends with a ready-to-paste prompt for your AI agent.
A verification checklist to prove the gates really block what they should.
A "No API yet?" fallback: import from a Google Sheet/CSV and export a clean CSV in the exact columns your system expects - so it's fully buildable today, with zero integration work.

The governance it includes (this is the point)

This isn't a to-do list with a CAPA label. The controls auditors look for are built in from the start:

Login so only your team can use the tool.
Row-level security so each organization (or site) only ever sees its own CAPAs.
A complete audit trail - every submission, approval, rejection, and field change, with the person and timestamp.
A hard human-in-the-loop approval gate at every stage transition: the AI and the owner draft and submit, the quality manager reviews and approves, and only then does the CAPA advance or close.
Stage prerequisites enforced in code - no corrective action without a root cause, no closure without verified effectiveness.
Duplicate guards keyed on CAPA number so the same CAPA can't be processed twice.

Who it's for

Quality managers and CAPA owners in regulated or quality-driven operations (ISO 9001 / 13485, FDA, IATF, GMP-style environments) who need disciplined, audit-proof CAPA records - and who are tired of trusting a spreadsheet to enforce a process it was never built to enforce.

You've got this. Open the plan, paste the first prompt, and let the interview tailor it to your shop.