In 2023 there were 336 483s written toward the Devices industry on the Corrective and Preventive Action (CAPA) system. The focus of these was on procedures not adequately established as well as inadequate documentation of activities (corrective and preventive) by Device firms. These are foundational requirements outlined in CFR 820.100 and ISO 13485 for CAPA systems and are not necessarily new topics in 2024 (aside from the recent QSMR ruling from the FDA which looks to ensure a better harmonization between the two). I have been reflecting on my own experiences in the last 12 years in dealing with different variations of the CAPA framework process and when those systems failed to meet the requirements it was because the basics were not being performed.
In this article, I’m going to walk through the CAPA process that was developed to ensure compliance and ease of use to the end user no matter what kind of problem was escalated to the CAPA subsystem. I’ll cover some common pitfalls as well as what kind of governance structure should be put into place to ensure the process is managed and how to escalate project management and resourcing issues because let’s face it identifying the cause is one aspect but getting to the finish line can be a whole endeavor in of itself. The process I’m going to guide you through takes a similar risk-based approach that is outlined in this MDIC CAPA white paper and if you haven’t read this before I highly encourage you to do so before continuing reading here.
“If everything is a problem then nothing is a problem,” I remember hearing this statement or some variation thereof quite frequently before the eventual implementation of a risk-based CAPA evaluation approach that was implemented into the CAPA system. The previous system lacked a functional objective way to determine if a problem that was escalated to the CAPA review board warranted further investigation as that part of the CAPA process had not kept up with the other parts that were updated during FDA warning letter remediation efforts.
What are some indicators a CAPA system is not performing as it should?
- Every issue from the QMS is escalated to a full CAPA investigation.
- Risk Management principles are not built into the CAPA system.
- There is no governance process managing the CAPA system.
- Investigations go after symptoms and not getting to the root cause.
- Effectiveness checks are not statistically based or set based on risk.
- Only a small portion of employees understand how to use the system.
This is by no means an all-encompassing list but it should provide some insight into common issues that cause CAPA systems to fail to do the job that is expected in regulated industry. I’m going to walk through these and provide examples of what these look like, what to do about them and the value fixing them brings to the business.
Every issue from the QMS is escalated to a full CAPA investigation.
I listed this one first as it is one of the more common issues I’ve encountered while managing CAPA systems. Let’s face it in an ideal world there would be unlimited time and resources to fix every issue that came to your attention but in reality, businesses that are required to identify, document, and fix issues per the regulations also have to keep the business operating. There are tremendous expenses for businesses that take on regulated industries and the system to fix Quality issues should not become a burden to a business especially since it is meant to provide the means to solve problems and eliminate them. Therefore, if your system requires every problem in your QMS to go to a full CAPA investigation you could easily run out of resources to properly work on these and get buried. You may be asking how we accomplish this and stay compliant with the regulations and requirements of CAPA.
Risk Management principles are not built into the CAPA system.
- Do you have an evaluation process in your CAPA system?
This became an important process and will highlight a couple of the major indicators as mentioned above. An evaluation process for CAPA investigations is critical to have as it will help you determine the correct problems to focus time and energy on which in business terms equates to money. The following is how I structured a CAPA evaluation process that highlighted the problem in a way that allowed an objective risk-based conclusion to be made.
- The problem statement must be outlined and provide as much information as possible.
- Containment was focused on next within this process ensuring if there was a nonconformance distributed in a product Field Action processes were triggered immediately.
- A historical evaluation looking for similar CAPAs, Complaints, Field Actions, and NCMRs as well as if the problem was a known product risk from the risk documentation and what risk classification the problem was. Nonproduct risk (Quality System) was also classified but this was classed based on the work instruction definitions for frequency and type of issue identified.
- Process mitigations were documented next and can provide valuable insight.
- Risk occurrence summary which would highlight what kind of frequency the issue is currently occurring at. 1 in 1000, 1 in 10 etc.
- The trigger for Risk Management assessment is if what was identified is outside the current risk management documentation.
- Conclusion/Decision of CAPA investigation. CAPA Yes/No determination or was the evaluation going to close with a correction or no further action at this time?
The CAPA investigation process was required for the following situations:
- Corrections and Removals (Field Actions).
- High and Medium internal audit findings.
- All External audit findings.
- High-Quality System Process Risks.
- The safety issue that met the criteria of causing or contributed to a death or serious injury or it would be likely to cause or contribute to a death or serious injury should it recur and preliminary investigation indicates the incident to be the result of a malfunction of the device, failure of the device to meet specified requirements, except where the hazard is identified on the product labeling and is occurring within the expected frequency documented in the risk management file.
If the recommendation is no further action or corrections only the justification is required to have objective evidence to support these conclusions. Now, don’t get me wrong if your system has issues escalating and they meet the requirements for a full CAPA investigation then those need to be opened and dealt with and if a company needs to deal with lots of issues then additional resources may be required to get to a normalized state. I’ve used this approach for the last five years and it has been very successful in ensuring the proper problems are escalated and thoroughly investigated. Businesses will start to see a positive impact when the correct focus is put on the problems with the greatest risk to Customers/Patients/QMS compliance and eliminating them from occurring again.
There is no governance process managing the CAPA system.
This evaluation process must be fed into a CAPA review board made up of management of all the cross-functional departments. This is a critical process and if you don’t currently hold some sort of CAPA review board please get this in place ASAP. The length and frequency of when this group meets will depend on the business and how many current open CAPAs there are. In the busiest times during the FDA warning letter remediation, I had it running weekly for about an hour. In this meeting new CAPA requests were reviewed and if a CAPA was determined a lead investigator who would essentially manage the CAPA from start to finish was assigned as all the management was there to work through resourcing. I would also pull in other lead investigators who were running into roadblocks to have management help in getting through those as well as a look at the key metrics of the CAPA system that feed into Management Review. Every CAPA that completed the investigation and determined the cause would come back to the review board to give an overview of the cause(s) identified and the current proposal of actions to eliminate them. This would give management oversight on what kinds of cost(s) are being proposed before the work starts allowing some adjustments to be made if something was not viable at that moment. Without proper governance and oversight, CAPA systems will tend to get behind on due dates whether it be the investigation itself, the action dates, etc.
Investigations go after symptoms and not getting to the root cause.
When the CRB determines that a full CAPA investigation is required to identify the cause and eliminate an issue it has determined on behalf of the business to spend significant time, resources, and money to address the issue. This investment must ensure success and eliminate problems and to ensure this the cause of the issue must be identified and not the symptoms of the issue. There are many tools and techniques that can help you identify the root cause of the issue. If you’re not familiar with many of the tools, or how they can be used a great reference is the Quality Toolbox by Nancy Tague (No affiliate link). I would recommend having a copy for your CAPA management team that they can reference from time to time to help teams during root cause analysis meetings. Remember to gather objective evidence to support your claims for cause as this will be pressure tested during audits from time to time it will also provide you a great gut check to ensure the conclusions you make are sound and supported.
Effectiveness checks are not statistically based or set based on risk.
The final part of any CAPA investigation is to verify the actions performed to eliminate the cause(s) were successful and that there is no evidence of the cause showing up again. When you look into your data sets to determine there is no recurrence of cause was the criteria based on something? Did you perform a sampling of records/data and did you justify why you chose that quantity to review? This is another area where statistical methodologies are very helpful to ensure the sampling is sound. We set the most stringent sampling for high-risk issues and lowered it from there for medium and low-risk situations as part of the rationale/justification. Not only does this help ensure a sound argument it will also ensure that you’re doing a deeper dive into your data post-implementation of Corrective/Preventive actions to ensure that the causes are truly eliminated. From a Quality and Business perspective, this is critical to ensure the time spent investigating issues and fixing them is well spent resulting in increased quality and safety of the final products which ultimately leads to increasing the strength of your brand as a business in the marketplace.
Only a small portion of employees understand how to use the system.
When was the last time your training program was objectively evaluated to determine the effectiveness of ensuring the end users understand the process and can execute the expectations required for a successful CAPA investigation? There is no need to reinvent the wheel here but if the current training program for your CAPA system is only a read and understand you’re failing to ensure a robust understanding of the importance and utilization of this QMS system. One of the most rewarding experiences I had post-remediation of the CAPA system was partnering with a colleague and designing a two-day course on the CAPA system and included topics from regulatory requirements, technical writing, root cause tools/techniques, and group breakout sessions to perform mini investigations based on a real-world problem. We collected feedback after each session to make changes/improvements and gain an understanding of the value that was provided to the cross-functional groups who were a part of this training. Upon completion of this training, these were the individuals who would later be considered for lead investigator to lead CAPA investigations based on being assigned during the CAPA review board. Along with this training course, we had the regular read and understand and a knowledge check quiz that was on an annual refresh. This way the scores could be reviewed and if needed additional training/support could be given to those who needed it.
I hope this overview of some of the basics was of some value to you and your Quality team. Take an objective look at your system and if any of the issues I spoke about here are showing up take some actions and work to remediate these and you’ll find the effort will be well worth the time investment. If you’re still struggling or not sure where to start with your current situation please reach out to me as I provide consulting services specifically for getting CAPA systems into a state of functional compliance. Contact information can be found at Trustedqualityllc.