How to Avoid Risky CAPA Decisions


In my travels I work with large and small companies, and all of these firms have difficulties with the corrective and preventive action (CAPA) process. For the life of me, I can’t figure out why. Then again, what other process touches each and every part of the QS Regulation and the 13485 Standard? What other process deals with all of the negatives dealt out by inadequacies and inconsistencies in the entire Quality Management System (QMS)? How positive a “spin” can you put on complaints, non-conformances, adverse events, audit findings, defective products, process failures and medical device reporting? The CAPA process requires tenacious process owners with documented follow-up and follow-through. In this age of instant gratification, this process touches the very fiber of your company’s core competencies and must be dealt with methodically. You can’t dial up improvement by running your finger across a screen. 

The “action” part of corrective and preventive sometimes takes months to fix, and then a fair amount of time to determine whether the fix really works. Companies now and again lose track of their CAPAs, and generally have trouble dealing with and remembering long-term initiatives. It can become a monster that just won’t obey. Fire-fighting companies tend to deal in the “here and now” and wouldn’t (or couldn’t) plan a free lunch, no less a long-term corrective action. This is a generalization, but here goes—companies with successful process controls usually have a better handle on facilitating the CAPA process than companies that have to solve a multitude of problems all day and every day (to “make it work”). The latter of these companies are so in-tune with solving brand new, daily problems on the run that CAPA initiatives lasting more than three days cause consternation, undertones of “this is taking too long” and the inability to focus on long-term goals.

Making every defective a long, drawn-out corrective action is not the answer. Handling systemically-driven issues by making them just corrections is not the answer, either. There needs to be a common denominator that helps with the decision-making as to how far you have to go when confronted with a defective situation. Risk management fits the bill because it tends to use quantitative results and statements to make decisions, rather than “hip shots,” and it touches every square inch of the quality management system…like CAPA. What a coincidence. Reducing uncertainties by using a risk management approach is the forerunner to quality improvement, successful corrective action and, when you really “get good at this game,” preventive action, as well. Yes, you can prevent defective issues by using risk-based planning and applying just the right amount of planning, i.e., reduce the costs involved with resource-intensive CAPAs that should simply be “just” a correction.

Defined Examples
Correction eliminates the problem, e.g., a quick fix such as “rework of non-conforming devices”

Corrective action eliminates the root cause of the problem, e.g., usually a systemic issue such as “the machine qualification was not achieved when the injection molding machine was rebuilt and caused defective devices to be manufactured”

Preventive Action is taking proactive steps to ensure that a potential nonconformity does not occur, e.g. “every time a machine is rebuilt, a machine qualification is strongly considered using a formally-issued go/no-go decision chart based upon risk management.” (We should check all of the machines that have had recent changes.)

Quality Review Board is a group of cross-functionally-related process owners who meet periodically to discuss and make decisions about non-conformances whether they are product- and/or process-based.

The Seven Steps in the CAPA Process
There are seven steps that must be taken when performing a full-blown corrective action, whereas a correction commonly involves only steps one, two and three:

  1. Define the problem. Make sure the problem is a real problem and not a perceived problem.
  2. Define the scope. Make sure you understand the extensiveness of the problem.
  3. Take Containment Actions. Make a correction to stop the problem immediately while you look for and correct the ultimate cause.
  4. Find the Root Cause. Try to identify the underlying problem, not just the one on the surface. Ask the five “whys.”
  5. Document a Corrective Action Plan. Decide what steps are needed to eliminate the root cause of the problem.
  6. Implement the Corrective Action. This is as simple as following through on your plan and enabling a systemic action.
  7. Verify that the plan worked. After you have put corrective action in place, wait a suitable amount of time to make sure that the problem doesn’t recur. If it does, you need to ask if you determined the actual root cause.

Risk has Many Layers
Risk analysis is analyzing current risks you know you have, whereas risk assessment is assessing current and potential risks that you may face. The process of combining a risk assessment with formal decisions on how to address that risk is called risk management

Implementing a risk‐based CAPA process within a QMS is a necessity these days in the improvement of controls aligned with product and process non-conformances, adverse events, audit findings, complaints, etc. Making decisions concerning scope and extent about these “defectives” is a modern and cost saving approach to improvement and compliance. Every non-conformity does not force you to open a corrective action. While almost every problematic issue needs at least a correction, the biggest payback is to use corrective actions on systemically-driven problems that are repetitive and recurring. If a problem has only occurred once, then performing and documenting an extensive corrective action process will be too expensive (time, people, resources). However, if it occurs several times a month or is a documented trend, an investigation and corrective action will likely save money over time, since there will be a “marked economy” of resource-driven activities.

Risk Management
Risk management is not new to the quality and compliance industry. Risk has always been a prominent feature in standards such as ISO 13485, ISO 14971 and the QS Regulation. In 1996, the preamble to the QS Regulation addressed risk when FDA stated that it had deleted the phrase “hazard analysis” and replaced it with the phrase “risk analysis.” FDA’s involvement with the ISO TC 210 made it clear that “risk analysis” is the comprehensive and appropriate term. When conducting a risk analysis, manufacturers are expected to identify possible hazards associated with the design (product and process) in both normal and fault conditions. The risks associated with the hazards, including those resulting from user error, should then be calculated in both normal and fault conditions. If any risk is judged unacceptable, it should be reduced to acceptable levels by the appropriate means; for example, by redesign of the device or the process that enables manufacturing the device. An important part of risk analysis is ensuring that changes made to eliminate or minimize hazards do not introduce new hazards. Tools for conducting such analyses include Failure Mode Effect Analysis and Fault Tree Analysis, among others.

Risk Management File
A risk management file is an essential part of any medical device’s technical documentation because it details the hazards and risks linked to use of a device and the processes supporting the manufacturing of the device in order to optimize safety and performance. You will end up bringing this file to Quality Review Board meetings and management reviews. Manufacturers usually construct the risk management file by continuously analyzing the risks of their devices and processes throughout the device’s life cycle. Applying the methods of determining risk to the device’s complete life cycle, from the conception to final disposal and decommissioning, will give a manufacturer a complete look at all of the device’s risks—including process risks. Manufacturers should be able to justify that they have reduced the risks as far as possible as part of their risk management plan, included in their technical documentation.

The Bottom Line
For basic CAPA compliance, manufacturers must ask the following four questions:

  1. Has the problem been systemically identified?
  2. Has the extent of the problem been acknowledged?
  3. Have the root cause(s) of the problem been identified and then addressed based upon risk choices?
  4. Has the corrective action(s) been defined, planned, documented and verified as effectively implemented?

Closing Comments
Your company is responsible for the implementation and maintenance of a QMS, which supports and mandates that your company provide safe and effective medical devices that meet customer and regulatory requirements.

When non-conformity is identified, your company must determine the significance, associated risk and potential for recurrence. Once these risks have been determined, you may decide that the non-conformity has little associated risk or is unlikely to recur. In such cases, the Quality Review Board may decide only to carry out a correction (low risk). Should the non-conformity recur within the QMS, it could be an indication that improvement actions may be needed. In either case, the QMS requires that a corrective action should be carried out with the aim to prevent recurrence. During the investigative phase, your company may encounter situations that have not actually caused non-conformity, but may do so in the future. Such situations may call for preventive action.

As a check on the effectiveness of defined processes, management must regularly review the outputs of these processes and make adjustments as required. The Quality Review Board will have a great deal of impact on how and where these activities are presented and then solved. Documented procedures, requirements and records should be maintained by your company to ensure and demonstrate effective planning, operation and control of the processes. Documented objective evidence of decisions and actions taken will be a part of QMS records to show compliance as well as improvement.

ISO 13485 is very prescriptive as to what quality data is provided as input for the management review. The QS Regulation, not so much. Your company needs to define what meaningful data is to be reported for a management review. Data should be specific to your company’s quality objectives. Not only are compliance issues important, but including the appropriate information from the improvement processes, such as corrective actions and/or preventive actions, is mandatory. Even if corrections may seem like they are low risk, the resulting trends from “important corrections” could be instrumental in defining your company’s improvement initiatives.

John Gagliardi has had success over the past 45 years in the medical device and pharmaceutical industries because of his practical approach to process orientation and business. He has been actively involved in research and development, quality assurance, training, operations, process architecture, FDA inspections and regulatory affairs. Mr. Gagliardi specializes in building systems in a compliant and business-ready manner. He can be reached by This email address is being protected from spambots. You need JavaScript enabled to view it..

MidWest Process Innovation, LLC
www.midwestprocessinnovation.com