CAPA Notes from an FDA Inspection

Corrective and Preventive Actions or CAPA touches nearly every process in the Quality Management System (QMS). We seem to never stop talking about it. And then we never stop finding new ways to discover the proper objective evidence to establish compliance to 21 CFR, Part 820.100. I was reminded of this during a recent FDA inspection and thought I would share pieces of personal insight gained while participating in the interactions between the inspector and the medical device manufacturer.

In short, it’s intense.

In seriousness, most medical device companies consider CAPA to be the most important section of the QS Regulations. FDA surely regards this process as a “driver” and not just a “participant” in the general scheme of compliance architecture. Some examples include: CAPA gets top management’s attention at Management Review. Quality audits and corrective actions taken are measured and assigned incredible metrics. Complaints and corrective actions seem to be in the same sentence every time I read about the investigation/resolve and dealing with root causes relating to producing nonconforming product if, for example, a machine is not suitably qualified. This is on the mark, especially if there are trends involved. It seems as though the involvement of top management was always part of the commitment it takes to enable this CAPA process as not only compliant, but also effective and efficient.

Basic Premises – The agency’s policy relative to the review of quality audit results is stated in CPG 7151.02. This policy prohibits FDA access to a firm’s audit results. Under the QS/ GMP, this prohibition extends to reviews of supplier audit reports and management reviews. However, the procedures and documents that show conformance with 21 CFR 820.50, Purchasing Controls, and 21 CFR 820.20(3)(c), Management Reviews, are subject to FDA inspection.

The procedures (for implementing corrective and preventive action) must provide for control and action to be taken on devices distributed, and those not yet distributed, that are suspected of having potential nonconformities.

Procedures and Work Instructions 

From the start of the FDA inspection, the objectives for determining if the CAPA process was working were in “full swing.” The first step was to verify that CAPA system procedures that address the QS Regulation requirements were
accurately defined and documented in a complete and understandable manner. This is probably the most prescriptive QS Regulation section. It is almost always evaluated for efficacy and efficiency by regulatory investigators. It is a key to preventing internal and external failures.

The purpose of the CAPA process is to collect information, analyze information, identify and investigate product and quality problems and take appropriate and effective corrective and preventive action to prevent their recurrence. This
must be procedurally- and work-instruction-driven. In terms of conducting an investigation into issues, the FDA inspector was looking for correlation among the CAPA, Complaint Handling, Non-conformance and Audit Procedures. The Risk Management Procedure was being referenced in continuum with an emphasis concerned with decision-making in a quantitative manner. The linked procedures had to “talk to each other.” The CAPA-linked documents should include procedures for how the firm will meet the requirements for all elements of the CAPA subsystem (e.g., linkages).

Sources of Data

The FDA inspector wanted to know what sources of product and quality problems have been identified to confirm that data from these sources were analyzed in a robust manner to identify existing product and quality problems in a timely manner and that may require corrective action. The inspector continued to review records for investigations to identify common failure trends (e.g., by component, subassembly, manufacturing error or employee training) and proceeded to compare these trends with corrective action documentation.

Examples of Internal Data Sources that were analyzed:

• Process control data
• Test/inspection data
• Device history records
• Nonconforming material reports
• Rework and yield data
• Training records

Examples of External Data Sources that were analyzed:

• Supplier controls
• Complaints
• Adverse event reporting (ADR)
• Postmarket surveillance conclusions
• MAUDE data

Where the data comes from is an important matter. It was established that this company routinely analyzed quality data regarding product and quality problems in a Quality Review Board meeting held at least once per month. This analysis included data and information from all acceptance activities relating to component, in-process and finished device testing, complaints, returned product records, audit reports, postmarket surveillance numbers, corrective actions and timing issues. The inspector reviewed records from a variety of the data sources to determine whether the data were entered into the CAPA system and whether the data was both accurate (cross-checking other records) and complete (went back eighteen months). Linkages utilized for this activity included acceptance activities, nonconforming product, complaint files, quality audits and Medical Device Reports (MDR).

Note: Common failure trends could provide clues to which areas or products to focus on during the inspection. The focus was on reliability issues that have not been documented for corrective and preventive actions. As a preventive action, your company should focus on failure trends (like the FDA inspector did).

Trends

Also, concerning trends and determining if sources of product and quality information show unfavorable trends and how these trends were identified, the inspector wanted solid assurances that data from these sources was periodically and formally analyzed to identify potential product and quality problems that may require preventive action. He challenged the quality data information system so as to verify that the data received by the CAPA system was complete, accurate and timely. We discussed what statistical methods were employed (where necessary) to detect recurring quality problems.

Note: The results of analyses should be compared across different data sources to identify and develop the extent of product and quality problems. The analysis of product and quality problems included the comparison of problems
and trends across at least a half a dozen, plus different data sources. The full extent of a problem must be captured quantitatively before the probability of occurrence, risk analysis and the proper course of corrective or preventive action can be determined. Analysis of risk was reviewed on an ongoing basis. Risk was mentioned more times than I can remember. Using ISO 14971 was part of those conversations.

This inspector wanted to see failure investigation procedures and whether or not the present work instructions and forms were being followed to the letter. He wanted to determine whether root cause was really determined and that the
distribution of nonconforming product was not a possibility. He continued to look at the provisions for identifying the failure modes, their significance, the rationale for determining if a failure analysis should be conducted as part of the investigation, and the depth of the failure analysis. You’re right. We discussed how risk management made an impact here.

When we finally got to look at some actual corrective action records there was an inordinate amount of time spent proving that the actions were effective and verified or validated prior to implementation. For the most part, to confirm that corrective and preventive actions do not adversely affect the finished device. We established timely implementation and periodic reviews, even though some of the corrective actions took a long time to complete. There was a high-energy review of related procedures and of the management review agenda involved with corrective action closures, and whether or not
these actions were disseminated to executive management.

Actions Taken

Significant corrective actions were separated from the list of corrective actions to determine if the ramifications for these issues extended beyond the action taken, such as changes in component suppliers, training and changes to acceptance activities, field action or other applicable reportable actions.

Where Corrective and Preventive Actions were Effective and Verified or Validated

Using this same sample of significant corrective and preventive actions, a check of the effectiveness of these corrective or preventive actions was taken by reviewing product and quality problem trend results. He inquired as to any similar product or quality problems after the implementation of the corrective or preventive actions.

Note: Corrective actions must be verified and (if applicable) validated. Corrective actions must include the application of design controls if appropriate. Determine if your company has verified or validated the corrective or preventive actions so as not to adversely affect the finished device. This can be achieved using such tools as a (1) verification or validation protocol, (2) verification of product output against specified requirements, (3) ensuring that testing instruments are preventatively maintained and under calibration checks and (4) that test results are accurate and available for review. Because much of this information comes from design controls as a basis for production and process controls, the design transfer process was reviewed in a detailed manner.

To determine if any changes have been documented and implemented, it was necessary to view actual processes and controls, equipment qualifications, conduct a facility walkthrough and a thorough documentation correlation check. This is where production and process controls were challenged using change control and the use of the Process Failure Mode Effects Analysis (PFMEA) and Failure Mode Effects Analysis (FMEA) records.

Management Review

During the inspection, it was determined that the relevant information regarding quality problems, as well as corrective and preventive actions, was submitted for management review by looking at agenda items and comparing these items with the Corrective Action and Complaint Log(s). A review of the raw data submitted for management review (and not the actual results of a management review) was then achieved.

Note: Review the CAPA (and other procedures if necessary) and confirm that there is a mechanism to disseminate relevant CAPA information to those individuals directly responsible for assuring product quality and the prevention of quality problems.

Conclusions and Notes

To recap the lessons learned from this experience, planning and the use of risk management are important starting points to defend this important process in the QMS. Plans should include (1) establishing credible sources for “data gathering” and meeting your own criteria for success, (2) measuring and analyzing this data in the same manner to assure the realization of trends, (3) make and implement plans for improvement and compliance and (4) keep management in the loop during Quality Review Board Meetings and, of course, Management Review Meetings.

Using a risk-based approach included selecting items with a potentially major impact, that is, product or process related. The Inspector proceeded to ask questions about high and low impact items to make sure that these areas were addressed.

It was emphasized that nonconforming products discovered before or after distribution be investigated to the degree commensurate with the significance and risk of the nonconformity. It applies to process and quality system nonconformities as well as product nonconformities, e.g., if an injection molding process with its known capabilities has a normal 5% rejection rate and that rate rises to 10%, an investigation into the nonconformance of the process must be performed.

There was much discussion around the degree of corrective and preventive action taken to eliminate or minimize actual or potential nonconformities. The reoccurring theme was that the magnitude of the problem must be handled in such a manner as to be related directly to the risks encountered.

It was concluded that corrective and preventive actions must be verified and/or validated for effectiveness.

Only certain information needs be directed to management, and procedures should clearly identify the criteria to be followed to determine what information will be considered relevant to action taken and why. The inspector emphasized
that it is always management’s responsibility to ensure that all nonconformity issues are handled appropriately. Using the required inputs for management review as spelled out in ISO 13485:2016 was mentioned, and the FDA inspector was aligned with that type of thinking.

It was established that FDA had the authority to review corrective and preventative action records and that these records should be readily available whether or not they include audit results (or not).

All in all, this has been a fairly typical FDA inspection so far. There was a lot of time spent in the “Land of CAPA” and the ancillary support processes that are commonly linked as part of every conversation. Corrective and Preventive Action activities touch every part of the QMS. It is how you handle this process that matters.

John Gagliardi has had success over the past 45+ years in the medical device and pharmaceutical industries because of his practical approach to process-orientation and business. He has been actively involved in research and development, quality assurance, training, operations, process architecture, FDA inspections and regulatory affairs. Mr. Gagliardi specializes in building systems in a compliant and business-ready manner. Mr. Gagliardi can be reached by email.

MidWest Process Innovation, LLC Save Supplier