Why Won’t My CAPA Process Work?

A process that identifies and eliminates non-conformances and potential non-conformances enables companies to realize not only a cost savings in the short-term, but could redefine a company culture centered on far-term accomplishments.

After a long inspection day with FDA, a company president commented to me, “I don’t understand it! I have been told that we issue CAPA reports like they were going out of style.

I recognize that our close-out performance is not something to be proud of, but the thing that really gets me goin’ is that we issue all of these CAPAs and the same issues pop up again and again and again. I don’t get it. This CAPA process still doesn’t work.”

A Common Situation (revisited)
As a third-party auditor, I assess the Corrective and Preventive Action Process or CAPA almost immediately after initiating the due diligence and document review stages of the audit process. The logistics of any audit become entwined with the CAPA process early on due to the fact that each process is affected by correcting non-conformances and preventing their reoccurrence in a timely manner. Companies that have ongoing issues with this process (“Our CAPA process still doesn’t work after all of these years”) usually:

  1. Issue too many CAPAs
  2. Open too many CAPAs
  3. Lack management’s commitment to “resource” these initiatives
  4. Retain only the quality department to work on these company-wide, quality data opportunities
  5. Fail to really verify or validate the effectiveness of the corrective/preventive actions taken, in a timely manner
  6. Weaken risk management tools being facilitated to define a triage-based decision-making process
  7. Run on a distinct and systemic failure mode that does not make management aware of the appropriate and relevant information brought into view because of these defectives—that is, quality data is not being used to its fullest extent for compliance and improvement opportunities   

Background Information

It is imperative that your company successfully use the CAPA process every day, as it impacts each procedure in the Quality Management System (QMS). CAPA is one of the key elements to a compliant QMS that will lead to improvement (with an ISO focus on continual improvement(s)) and compliance. A robust CAPA process is of the utmost importance to an orthopaedic device manufacturer in an age when recalls are prevalent, warning letters for repeat offenders are on the rise and Medical Device Reporting continues to be a gauge for failure affecting human beings. A process that identifies and eliminates non-conformances and potential non-conformances enables companies to realize not only a cost savings in the short term, but could, more importantly, redefine a company culture centered on far-term accomplishments.

Not every problem or non-conformance requires corrective action, per se. Yet, I continue to notice companies where every defective that is realized is being captured in a cumbersome CAPA process using formats far too complicated for mere aberrant issues. Whether “full” corrective action is needed varies by the type of device being manufactured, the risks involved with each occurrence and the severity of the outputs. Another process enhancement should be that CAPA decisions are no longer for only one individual or just the quality department to make. Companies that I have worked with—before and after FDA inspections—commonly have a quality review board in place to facilitate the CAPA process using cross-functional team members to solve problems in a timely manner. FDA commonly emphasizes this crossfunctional point using the responsibility and authority-link throughout an inspection.

FDA requires that procedures are in place to ensure that information is disseminated to those directly responsible for assuring quality or the prevention of such problems, and to provide for submission of relevant information on identified quality problems, as well as corrective and preventive actions, for management review. Your company’s procedures should clearly define the criteria to be followed to determine what information will be considered relevant to the action taken and why. FDA emphasizes that it is always management’s responsibility to ensure that all non-conforming issues are handled appropriately, in a timely manner and using risk management as a foundation point for decision making.

FDA agrees that the degree of CAPA taken to eliminate or minimize actual or potential nonconformities must be appropriate to the magnitude of the problem and commensurate with the risks encountered. FDA will not dictate in a regulation the degree of action that should be taken, because each circumstance will be different, but FDA does expect your company to develop procedures for assessing the risk, the actions that need to be taken for different levels of risk, and the means to correct or prevent the problem from recurring, depending on that risk assessment.

The ISO Standard (as harmonized with FDA) identifies distinct components that are critical to understanding how to set up a CAPA system:

  • Correction—Action to eliminate a detected nonconformity (e.g. rework)
  • Corrective Action—Action to eliminate the root cause of a detected non-conformity or other undesirable situation
  • Preventive Action—Action to eliminate the root cause of a potential non-conformity or other undesirable situation
  • Risk Management—ISO 14971 defines the international requirements of risk management systems for medical devices, defining best practices throughout the entire life cycle of a device. Risk management uses policies, procedures and practices to systematically analyze, evaluate, control and monitor risk

Many companies fail to differentiate among these definitions. Some companies that I visit think that it is appropriate to have correction, corrective action and preventive action on the same issue—not all situations require that preventive action be taken, and there are times when companies want to independently take preventive action to solve a potential problem before it actually occurs. In any case, both corrective actions and preventive actions share effectiveness checks, i.e., verification or validation that the issue was truly resolved and nothing else was negatively impacted.

Noteworthy Points with a Closed Loop Policy in Place – Objective Evidence
It is significant to remember when documenting a CAPA that such documentation is intended to provide an open door to the following process elements to auditors (ISO) and investigators (FDA) alike:

  • A structure for directing current and future improvement activities
  • A tool for forward and backward traceability concerning defectives and process incongruities
  • The history explaining how the company complied with the regulatory and quality requirements to correct a nonconforming issue or defective devices
  • Employed reasonable measures to limit the risk to the end-user of being exposed to unsafe or ineffective orthopaedic medical devices
  • Management’s commitment, or non-commitment, to the QMS

The FDA Quality Inspection Strategy: The weakest links can cause a process to fail
The inspection strategy includes the following steps.

  • Verify that CAPA system procedures have been defined and documented
  • Determine if appropriate sources of product and quality problems have been identified
  • Discover and use unfavorable trends from identified and credible sources; challenge the quality data information system
  • Verify that the data received by the CAPA system are complete, accurate and timely
  • Detect recurring quality problems
  • Identify and develop the extent of product and quality problems
  • Determine if failure investigation procedures are followed
  • Establish whether appropriate actions have been taken
  • Determine whether corrective and preventive actions were effective and verified or validated
  • Verify that CAPA solutions have been implemented and documented
  • Inform management of CAPA measurements’ and metrics’ ROI during management review

Management’s Responsibility and the Audit Function
The QS regulation requirements are outlined in 21 CFR, Part 820.20. As indicated in the QS regulation, every quality system should include: management policies, objectives, an organization, documentation, performance of tasks according to policies, monitoring of the system (feedback) and corrective action as indicated by that feedback. Coincidently, Part 820.22 requires that the quality system be monitored through audits. The analysis and use of feedback data from product acceptance, audits, complaints, servicing/repairs and other quality data sources are necessary parts of a self-correcting quality system. Thus, the audit of a quality system is one of the most important cGMP requirements. The quality system first implemented by a new manufacturer will change as the manufacturer grows and as the company’s products, operations and employees change. Therefore, a quality system should change with the company. Quality system audits are the primary tool for assuring that the quality system changes are correct and are correctly implemented. A quality system audit process that has been established in accordance with the QS regulation and implemented in sufficient depth can detect undesirable variations and trends in operating procedures. Management awareness of these undesirable variations should lead to corrections and help prevent the design and production of unsafe, unreliable or ineffective devices.

The QS regulation requires follow-up corrective action, including re-audit. When indicated, audit results shall be given to individuals responsible for each of the operations audited (process ownership, exemplified), especially if deficiencies are found. Results shall be reviewed by all key management personnel, especially those responsible for the matters audited.

General Failure Investigation: Measuring trends will set the tone for CAPA “return-on-investment”
The use of CAPA for failure investigation andvice versa is a measurable and organized way to assure that all facets of an analysis are addressed and well-documented. In order for a quality system to be self-correcting, data on quality problems from all sources should be fed back into the system (a closed loop investigatory process). For example, complaints, service reports and non-conforming products can provide valuable information that can point toward possible corrective actions.

The more comprehensive a quality system is in taking preventive action, the lower the probability of customer dissatisfaction and the resulting need for any corrective action. A true quality system has many preventive safeguards, including cGMP requirements for design, packaging, labeling, manufacturing control, installation, repairs and complaint and failure analysis. A quality system that also covers the user needs generally results in increased overall quality.

Your company is required to review, evaluate and, when appropriate, investigate complaints, establish and maintain written procedures describing the process used to perform these activities, and to designate a responsible individual or entity to perform these tasks. Complaints concerning death, serious injury or malfunctions, as defined in the MDR regulation, shall be reported to FDA as discussed. Manufacturers of any class of medical devices are never exempted from the QS regulation complaint requirements (Part 820.198) or the general record requirements (Part 820.180), which permit FDA review and copying of these records. Complaint file requirements are necessary to make certain that manufacturers have adequate quality systems for investigating complaints and taking corrective action. Access to complaint files, device-related death and injury reports, and complaints about device defects enables FDA to determine if a manufacturer’s QS and corrective actions are adequate.

Device Failure Analysis
Your company should process and analyze failed devices per 21 CFR, Part 820.100 (a)(1) stating that returned product is subject to corrective action. Failure analysis must be conducted by appropriately trained and experienced personnel, and they should use a written procedure to assure that the process of device handling and analysis will not compromise the determination of the cause of the device failure. The failure investigation and analysis should determine the actual failure mechanism to the objective level necessary to correct the problem. When systematic failure has been diagnosed and corrective action established, your company need not analyze all additional devices that are returned with the same symptoms.

If a failure is determined to be related to safety and effectiveness, the deficiency should be determined, corrected and documented. If an investigation verifies a particular device deficiency and that this deficiency may exist in other products, the investigation should extend to determining its effect on other medical products: preventive action.

In line with FDA inspection strategy, the ultimate responsibilities surrounding the corrective and preventive action subsystem are to collect information, analyze information, identify and investigate product and quality problems and take appropriate and effective corrective and/or preventive action to prevent their recurrence. Verifying or validating corrective and preventive actions, communicating corrective and preventive action activities to responsible individuals, providing relevant information for management review and documenting these activities are essential in dealing effectively with product and quality problems, preventing their recurrence and preventing or minimizing device failures. One of the most important quality system elements is the corrective and preventive action subsystem.

There are many reasons for failure when discussing the nuances of this “critical thread” process impacting every company’s QMS. Some reasons may be unique to your company and some are worldwide in similarity. From the worldwide vantage point of a third-party auditor and as an involved participant in numerous FDA inspections and ISO audits, there are clearly two root causes. Yes, two! Lack of management commitment to dedicate the time and resources to administering this process of corrective and preventive actions is high on the list, without a doubt. Secondly, most companies issue too many “full-blown” CAPAs that are low risk and probably deserve just a simple correction to fix the issue. If you don’t have a viable risk management process in place, you’ll never know, will you?

By the way, the company president I quoted at the beginning of this article simply looked in the mirror and answered her own questions.

John Gagliardi has had success over the past 40+ years in the medical device and pharmaceutical industries because of his practical approach to process-orientation and business. He has been actively involved in research and development, quality assurance, training, operations, process architecture, FDA inspections and regulatory affairs. John specializes in building systems in a compliant and business-ready manner. He can be reached by This email address is being protected from spambots. You need JavaScript enabled to view it..

MidWest Process Innovation, LLC

   Previous BONEZONE® articles on CAPA:

How to Avoid Major FDA Inspection Mistakes

Risk Management: The Science of Minimizing Uncertainties