Hello everyone, and welcome to another installment of MedTech Compliance Chronicles! Having tackled the challenges of managing nonconforming products, we now turn our focus to the cornerstone of quality management: the Corrective and Preventive Actions (CAPA) process. CAPA is an essential mechanism for identifying, investigating, and resolving issues that could compromise product quality or patient safety. By implementing effective CAPA procedures, medical device manufacturers can ensure that problems are not only corrected but prevented from recurring, thereby enhancing the overall reliability and integrity of their products.
Most people have heard a phrase that goes something along the lines of “mistakes happen, don’t let the same one happen twice.” Perhaps a nicer way of saying it is to learn from your mistakes. Regardless, the CAPA system is essentially how the US FDA makes this philosophy law for medical device manufacturers. Barring a catastrophic event arising from blatant negligence, the FDA rarely comes down hard for the first occurrence of an incident. This is because they have included the CAPA subsystem in the quality management system regulations and expect that it is adhered to. Under the CAPA subsystem, medical device organizations are expected to evaluate all nonconformities or potential nonconformities for the need for an investigation to determine the underlying causes, correct them and then verify that they have indeed been corrected.
Corrective vs Preventive Actions
“One of the most important quality system elements is the corrective and preventive action subsystem”
US FDA, Guide to Inspections of Quality Systems
From the FDA itself, corrective and preventive actions are among the most important aspects of any organization’s QMS. The CAPA system drives improvement, innovation and organizational sustainability. Mistakes and nonconformities happen, they are a normal part of operation. However, passive acceptance of them will kill even the largest of organizations. CAPA is an organization’s means of ensuring that they do not make the same mistake twice by identifying the underlying root cause of the nonconformity and implementing evidence based solutions to correct that root cause.
First we will clear up some common terminology mistakes when dealing with this particular subsystem of a QMS. Corrective and preventive actions both take action to eliminate the underlying root cause of an issue. Whether or not an action is corrective or preventive depends on whether or not a nonconformity has already resulted from the issue. For example, if a routine in-process inspection fails and action is taken to correct the root cause of why the failure occurred, the action is corrective because a failure had already occurred. Alternatively, if a control chart of a process is beginning to show signs that a process might be drifting out of control and investigation is held to determine the root cause of why the process is drifting and correct it before it causes any actual nonconformities, then that action is preventive. A final point of terminology confusion is the difference between a corrective action and a correction. These are minor linguistic differences and are often used interchangeably by many, however, they do not officially mean the same thing. A correction simply corrects a nonconformity whereas a corrective action corrects the root cause of the nonconformity to prevent its recurrence. Correction is usually the first part of a corrective action but corrective action is not necessarily taken with each correction. Back to our example of the product failing an in-process inspection, if the product which failed were reworked into a conforming state, this would be the correction. The investigation, identification of root cause and actions taken to prevent recurrence of the issue are the corrective action.
Now that we have an understanding of what CAPA is, let’s talk a little bit about what the requirements are and what should trigger initiation of a CAPA. The requirements around CAPA are fairly straightforward. You will first review each nonconformity (as already discussed as part of nonconforming product requirements) as well as potential nonconformities and evaluate the need to take action to prevent their recurrence or occurrence. If the need for action is determined to be appropriate, you must then investigate the root cause of the issue. After the root cause has been determined you must then verify or validate your proposed solutions and implement them. Finally, once the solutions have been implemented for a period of time you must verify that they have been effective in actually preventing the recurrence (or occurrence for preventive actions) of the nonconformity.
When it comes to what should trigger a CAPA, there are a couple of general guidelines and expectations, though it is most often left to the professional judgment of the organization. For the most part, high risk nonconformities for which the cause is unknown should probably trigger a CAPA. For lower risk nonconformities and preventive actions (where no nonconformity has occurred yet) you must analyze the data from your measurement and monitoring system to see if you have been having any trends or significant increases in particular failure modes. This is where having good statistical process controls can be critical. If these are set up right, more of your actions can be preventive rather than corrective.
Root Cause Analysis
Now, once you have examined all of your data and identified some issues that you believe you should take action to eliminate, what next? Next you will need to conduct an investigation to identify the root cause of the issue and determine solutions to correct it. Root cause analysis is a complex process that seems very different from situation to situation but, fundamentally can and should be a concise, consistent process utilizing deductive reasoning and the scientific method to systematically reduce problems down to their most rudimentary causes.
When it comes to conducting root cause analysis there are a couple of best practices and things to keep in mind. The first and foremost being to assemble a cross functional team. At least one member of this team should be a representative of the process which is exhibiting the issue. The team may also change as the investigation continues, other processes could be identified as contributing factors and representatives from those processes should be brought in as well. It is a very common and crippling mistake to limit root cause investigations to a team of management and engineers or to not change the team as new information arises. To truly identify underlying issues, the perspectives of those who work the process from day to day is vital.
Another critical point of root cause analysis is to not jump to solutions too fast. When a problem is first identified it is everyone’s nature to shout out their idea of what went wrong and how to fix it. This is the typical band-aid approach that has left management at many companies unable to find solutions to problems for years. The first step of root cause analysis (after forming your team) should be to gather all pertinent information about the problem as possible. The questions ‘what’, ‘who’, ‘when’, ‘where’ and ‘how much’ should all be answered. Avoid asking ‘why’ too soon as it can force you to look for solutions before you have fully defined the problem. Also remember that problems, especially complex problems, can have more than one root cause, another reason to ensure that you have gathered all information possible across all sources before beginning to look for solutions.
Once you have gathered all relevant information it is time to begin digging into it all to identify the root cause(s) of the problem. There are several formal brainstorming tools and techniques you can use with your team such as a fishbone diagram, 5 whys, is - is not, etc. Tools and techniques for root cause analysis could be an entire topic of its own but eventually, with whatever tools you utilize, you will get down to one or a couple of underlying issues you believe are the root cause(s). The next step will be to hypothesize solutions, verify that they actually solve the issue and implement them. This is a step that does require you to revisit risk management. The solutions to many problems often result in some type of changes, which must be evaluated for their risks in the same ways the original product or processes were. The solutions that are selected must also be verified and/or validated (depending on the nature of the particular solution) also in a similar manner to the original product or process. Once the risk has been deemed acceptable and the solution verified or validated, all that is left is to implement it.
Verification of Effectiveness
Alas we have come to the final and most forgotten step of CAPA, verifying the effectiveness of actions taken. This is a little bit different from verifying or validating the action itself. When you verify the action prior to implementation you usually do so in a well designed experiment where everyone is paying close attention to detail and often management and engineers are either present or sometimes even the ones physically doing the process. Verifying the effectiveness of corrective or preventive actions, however, means coming back to the process after the actions have been implemented for a period of time and confirming that the issue has not presented itself since implementation of the actions. At many organizations, there are set time points (3 or 6 months) at which point a quality representative goes back and reviews data related to the CAPA to confirm that the issue has been adequately addressed.
In some cases, due to the nature of some problems it is not reasonable to wait and see if the problem resurfaces. These could be problems that only present themselves rarely so waiting for adequate data could take years or high risk problems that need to be adequately addressed for the safety of users or patients. In these cases it is often the approach to design some type of simulation experiment that will simulate how the actions taken will work over a period of time. If this is the approach taken, careful attention must be paid to the justifications as to why the simulated conditions are representative of actual conditions and these justifications should be documented along with the CAPA.
Conclusion
Overall, the CAPA process is one of the most important processes within an organization, even the FDA agrees. It is the ultimate driver of improvement initiatives that ensure organizational sustainability in an increasingly competitive market. The overall process involves identifying current or potential quality issues, determining their most fundamental causes and taking evidence based decisions to implement solutions for them. With an effective CAPA subsystem your organization can stay ahead of the game and drive defects to unprecedentedly low levels.
Comments