A risk-based CAPA process is a common goal of medical device manufacturers, but until recently “risk-based” was not clearly defined.
The biggest fundamental change in both ISO 9001:2015 and ISO 13485:2016 is an emphasis on risk-based process management.
The CAPA process is the heart of your quality system and one of the most important processes. Therefore, this presentation gives you a whole new set of tools for managing your CAPA process using risk-based approach
A risk-based CAPA process is more than prioritization.
This presentation includes:
-An outline of the CAPA process and proposed risk management activities
-Various risk control options that can be integrated with corrective actions
-How to reconcile conflicts between the definitions for risk in ISO 9001:2015 and ISO 13485:2016
-And more...
Watch the presentation here: https://www.greenlight.guru/webinar/risk-based-capa-process
Challenges and Opportunities: A Qualitative Study on Tax Compliance in Pakistan
How to Create a Risk-Based CAPA Process
1. Slide 1
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Risk-Based CAPA
2. Slide 2
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Inputs to the CAPA Process
CAPA is the heart of a Quality Management System
(QMS) and indicates how effective the QMS is.
CAPA’s
Risk Analysis
MAUDE
Clinicals
Effectiveness P
Service
Mngt. Review
Internal Audits
VOC Surveys
NCMR’s
Complaints
Validation
3. Slide 3
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Key Elements of CAPA Forms
• Provide Enough Room
• Date Initiated
• Include a Cross-Reference
• CAPA Source
• Description of Issue
• Investigator Assigned & Target Due Date
• Investigation of Problem
• Containment
• Correction(s)
• Investigation of Root Cause
• Corrective Action Plan & Target Due Date
• Preventive Action Plan & Target Due Date
• Actions Implemented
• Plan for Verification of Effectiveness
• Effectiveness Verification
• Signature & Closure Date
“15 Tips for Creating an Effective CAPA Form”
http://bit.ly/CAPAForm
4. Slide 4
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Root Cause Analysis Tools
• 5 Why Analysis
• Is / Is Not Analysis
• Fishbone Diagrams
• Affinity Diagrams
• Pareto Analysis
5. Slide 5
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
5 Why Analysis
Why are tires blowing out at
20,000 miles?
Why are side walls too thin?
Why are calipers out of
tolerance?
Why did calibration technician
use incorrect procedure?
Why wasn’t a transition plan created
when HR person was laid off?
Not just 5 questions
beginning in “WHY”,
but each question must
lead to the next.
6. Slide 6
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Is / Is Not Analysis
• What?
– What is the object/process affected?
– What exactly is wrong?
• Where?
– Where do you see the problem?
– Where on the object does the problem occur?
• When?
– When did the problem occur?
– When in the process flow does the problem occur?
• How?
– How does the problem occurrence form a pattern?
– How big is the problem?
• Ask the opposite questions too
7. Slide 7
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Fishbone Diagrams
Materials
Manpower
Mother
Nature
Measurement
Machines Methods
Effect
6M’s
8. Slide 8
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Brainstorming…
Idea 1
Idea 2
Idea 3
Idea 4
Idea 5
Idea 6
Idea 7
Idea 8
9. Slide 9
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Affinity Diagrams
9
Idea 1 Idea 2Idea 3
Idea 4
Idea 5 Idea 6
Idea 7Idea 8
Category 1 Category 2 Category 3
10. Slide 10
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Pareto Analysis
11. Slide 11
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Why Risk-Based?
• 21 CFR 820 – 1 instance of the word “risk”
• ISO 9001:2008 – 3 instances of the word “risk”
• ISO 9001:2015 – 31 + 10 instances of the word “risk”
• ISO 13485:2003 – 4 instances of the word “risk”
• ISO 13485:2016 – 20 instances of the word “risk”
“13485 Plus” is a guidance document that was published
by the Canadian Standards Association in February 2006.
I have been recommending it over all other guidance
documents for quality system implementation since
2010. It mentions the word “risk” 60 times.
http://bit.ly/13485Plus
12. Slide 12
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
14971 Plus - http://bit.ly/ShopCSA
13. Slide 13
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
14971 Plus =
Standard + Gap + Bonus Tools
14. Slide 14
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Bonus Tools in 14971 Plus
15. Slide 15
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Risk Management is a Process
4 – Risk Analysis
5 – Risk Evaluation
6 – Risk Control
7 – Residual Risk
Acceptability
8 – Risk Management
Report
9 – Production &
Post-production Info
Risk
Assessment
Risk
Management
16. Slide 16
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Risk is Filter & Prioritization Tool
Quality
Issues
Quality
Plan
Risk
Analysis
Trend
Analysis
Formal
CAPA
We use a risk-
based approach
We always
initiate a CAPA
“Death by CAPA”
17. Slide 17
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
If it happens 3x…
• “How many nonconformities can occur before a
CAPA should be opened?”
– There is no “Rule of 3”
http://medicaldeviceacademy.com/minimum-data-points/
18. Slide 18
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Mitigation vs. Control
• In the 2007 version of ISO 14971, the term
“mitigation” was removed.
• Mitigation implies elimination of risks, while
control implies reducing and monitoring risks.
19. Slide 19
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Corrective Action (ISO 9001:2015)
• Clause 10.2 – Nonconformity & Corrective Action
– 10.2.1 When a nonconformity occurs, including those arising from complaints, the
organization shall:
a) react to the nonconformity, and as applicable:
1. take action to control and correct it;
2. deal with the consequences;
b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it
does not recur or occur elsewhere, by:
1. reviewing the nonconformity;
2. determining the causes of the nonconformity;
3. determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken;
e) make changes to the quality management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
NOTE 1 In some instances, it can be impossible to eliminate the cause of a nonconformity.
NOTE 2 Corrective action can reduce the likelihood of recurrence to an acceptable level.
– 10.2.2 The organization shall retain documented information as evidence of:
a) the nature of the nonconformities and any subsequent actions taken;
b) the results of any corrective action.
20. Slide 20
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Definition of Risk in ISO 9001
• ISO 9001:2015, Clause 3.09 [Source: ISO DIS 9000:2014, 3.7.4] - effect
of uncertainty on an expected result
– Note 1 to entry: An effect is a deviation from the expected — positive or
negative
– Note 2 to entry: Uncertainty is the state, even partial, of deficiency of
information (3.50) related to, understanding or knowledge (3.53) of, an
event, its consequence, or likelihood.
– Note 3 to entry: Risk is often characterized by reference to potential
“events” (as defined in ISO Guide 73:209, 3.5.1.3) and “consequences” (as
defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
– Note 4 to entry: Risk is often expressed in terms of a combination of the
consequences of an event (including changes in circumstances) and the
associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of
occurrence.
– Note 5 to entry: The term “risk” is sometimes used when there is only the
possibility of negative consequences
21. Slide 21
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Preventive Actions in ISO 9001:2015
Annex A.4 – Risk-based Approach
“One of the key purposes of a quality management
system is to act as a preventive tool. Consequently,
this International Standard does not have a
separate clause or sub-clause titled 'Preventive
action’. The concept of preventive action is
expressed through a risk-based approach to
formulating quality management system
requirements.”
22. Slide 22
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Corrective Action (ISO 13485:2016)
Clause 8.5.2 – The organization shall take action to eliminate the cause of
nonconformities in to prevent recurrence. Corrective actions shall be appropriate
to the effects of the nonconformities encountered. The organization shall
document a procedure to define requirements for:
a) reviewing nonconformities (including complaints);
b) determining the causes of nonconformities;
c) evaluating the need for action to ensure that nonconformities do not recur;
d) planning and documenting action needed and implementing such action in
a timely manner, including, as appropriate, updating documentation;
e) verifying that the corrective action does not adversely affect the ability to
meet applicable regulatory requirements or the safety and performance of
the medical device; and
f) reviewing the effectiveness of corrective action taken.
Records of the results of any investigation and action taken shall be maintained
23. Slide 23
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Preventive Action (ISO 13485:2016)
Clause 8.5.3 – The organization shall determine action to eliminate the causes of
potential nonconformities in order to prevent their occurrence. Preventive
actions shall be appropriate to the effects of the potential problems. The
organization shall document a procedure to describe requirements for:
a) determining potential nonconformities and their causes,
b) evaluating the need for action to prevent occurrence of nonconformities,
c) planning and documenting action needed, and implementing such action in a
timely manner, including, as appropriate, updating documentation,
d) verifying that the action does not adversely affect the ability to meet
applicable regulatory requirements or the safety and performance of
products, and
e) reviewing the effectiveness of the preventive action taken, as appropriate.
Records of the results of any investigations and of action taken shall be
maintained
24. Slide 24
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
21 CFR 820.100
a) Each manufacturer shall establish and maintain procedures for implementing corrective and preventive
action. The procedures shall include requirements for:
1) Analyzing processes, work operations, concessions, quality audit reports, quality records, service
records, complaints, returned product, and other sources of quality data to identify existing and
potential causes of nonconforming product, or other quality problems. Appropriate statistical
methodology shall be employed where necessary to detect recurring quality problems;
2) Investigating the cause of nonconformities relating to product, processes, and the quality system;
3) Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and
other quality problems;
4) Verifying or validating the corrective and preventive action to ensure that such action is effective
and does not adversely affect the finished device;
5) Implementing and recording changes in methods and procedures needed to correct and prevent
identified quality problems;
6) Ensuring that information related to quality problems or nonconforming product is disseminated
to those directly responsible for assuring the quality of such product or the prevention of such
problems; and
7) Submitting relevant information on identified quality problems, as well as corrective and
preventive actions, for management review.
b) All activities required under this section, and their results, shall be documented.
25. Slide 25
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Containment & Correction
• 21 CFR 820.90 – Control of Nonconforming
Product (new language in ISO 13485:2016,
Clause 8.3.1) – determine the need for
investigation and notification of responsible
party
• Clause 8.3.2 – Actions taken
• 21 CFR 806 – Recalls/Corrections & Removals
(now ISO 13485:2016, Clause 8.3.3)
• Clause 8.3.4 – Rework (review the potential
adverse effects of rework)
26. Slide 26
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Risk Controls
• Inspection – 21 CFR 820.80
• Process Validation – 21 CFR 820.75
27. Slide 27
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
21 CFR 820.250
Statistical Techniques
a) Where appropriate, each manufacturer shall establish
and maintain procedures for identifying valid statistical
techniques required for establishing, controlling, and
verifying the acceptability of process capability and
product characteristics.
b) Sampling plans, when used, shall be written and based
on a valid statistical rationale. Each manufacturer shall
establish and maintain procedures to ensure that
sampling methods are adequate for their intended use
and to ensure that when changes occur the sampling
plans are reviewed. These activities shall be
documented.
28. Slide 28
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Quantitative Effectiveness Checks
Cpk = 0.837
Cpk = 2.50
Preventive Action
29. Slide 29
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Definition of Risk in ISO 13485
• ISO 13485:2016, Clause 3.17 [Source: ISO
14971:2007, definition 2.16] – combination of
the probability of occurrence of harm and the
severity of that harm
P1 & P2 from Annex E of ISO 14971:2007
30. Slide 30
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Hazard vs. Harm
• ISO 14971, Clause 2.3 – Hazard is a “potential
source of harm”
[ISO/IEC Guide 51:1999, definition 3.5]
• ISO 14971, Clause 2.2 – Harm is a “physical
injury or damage to the health of people, or
damage to property or the environment”
[ISO/IEC Guide 51:1999, definition 3.3]
35. Slide 35
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Quality Management System Planning
ISO 13485:2016, Clause 5.4.2
Top management shall ensure that:
a) the planning of the quality management system is carried
out in order to meet the requirements given in 4.1, as well as
the quality objectives, and
b) the integrity of the quality management system is
maintained when changes to the quality management
system are planned and implemented.
NOTE: Quality management system planning normally includes
identification and implementation of action items that are
intended to accomplish quality objectives, monitoring the
progress toward completion of action items, and revision to the
planning based on monitoring.
36. Slide 36
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Change Management Advice
• Training Plan – Competency (ISO 13485:2016,
Clause 6.2b)
• Monitoring & Measurement Plan
– ISO 13485:2016, Clause 8.2.4 – Internal Audit
– ISO 13485:2016, Clause 8.2.5 – Monitoring &
Measurement of Processes
• Update your Master Validation Plan &
Revalidation Requirements
37. Slide 37
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Other Training
http://medicaldeviceacademy.com/webinars/
http://medicaldeviceacademy.com/Amsterdam-510k-workshop/
38. Slide 38
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Rob Packard
rob@13485cert.com
+1.802.281.4381
rob13485
Q & A
https://calendly.com/13485cert/15min