How to Create a Risk-Based CAPA Process

Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
Risk-Based CAPA

rob@13485cert.com
Inputs to the CAPA Process
CAPA is the heart of a Quality Management System
(QMS) and indicates how effective the QMS is.
CAPA’s
Risk Analysis
MAUDE
Clinicals
Effectiveness P
Service
Mngt. Review
Internal Audits
VOC Surveys
NCMR’s
Complaints
Validation

rob@13485cert.com
Key Elements of CAPA Forms
• Provide Enough Room
• Date Initiated
• Include a Cross-Reference
• CAPA Source
• Description of Issue
• Investigator Assigned & Target Due Date
• Investigation of Problem
• Containment
• Correction(s)
• Investigation of Root Cause
• Corrective Action Plan & Target Due Date
• Preventive Action Plan & Target Due Date
• Actions Implemented
• Plan for Verification of Effectiveness
• Effectiveness Verification
• Signature & Closure Date
“15 Tips for Creating an Effective CAPA Form”
http://bit.ly/CAPAForm

rob@13485cert.com
Root Cause Analysis Tools
• 5 Why Analysis
• Is / Is Not Analysis
• Fishbone Diagrams
• Affinity Diagrams
• Pareto Analysis

rob@13485cert.com
5 Why Analysis
Why are tires blowing out at
20,000 miles?
Why are side walls too thin?
Why are calipers out of
tolerance?
Why did calibration technician
use incorrect procedure?
Why wasn’t a transition plan created
when HR person was laid off?
Not just 5 questions
beginning in “WHY”,
but each question must
lead to the next.

rob@13485cert.com
Is / Is Not Analysis
• What?
– What is the object/process affected?
– What exactly is wrong?
• Where?
– Where do you see the problem?
– Where on the object does the problem occur?
• When?
– When did the problem occur?
– When in the process flow does the problem occur?
• How?
– How does the problem occurrence form a pattern?
– How big is the problem?
• Ask the opposite questions too

rob@13485cert.com
Fishbone Diagrams
Materials
Manpower
Mother
Nature
Measurement
Machines Methods
Effect
6M’s

rob@13485cert.com
Brainstorming…
Idea 1
Idea 2
Idea 3
Idea 4
Idea 5
Idea 6
Idea 7
Idea 8

rob@13485cert.com
Affinity Diagrams
9
Idea 1 Idea 2Idea 3
Idea 4
Idea 5 Idea 6
Idea 7Idea 8
Category 1 Category 2 Category 3

rob@13485cert.com
Pareto Analysis

rob@13485cert.com
Why Risk-Based?
• 21 CFR 820 – 1 instance of the word “risk”
• ISO 9001:2008 – 3 instances of the word “risk”
• ISO 9001:2015 – 31 + 10 instances of the word “risk”
“13485 Plus” is a guidance document that was published
by the Canadian Standards Association in February 2006.
I have been recommending it over all other guidance
documents for quality system implementation since
2010. It mentions the word “risk” 60 times.
http://bit.ly/13485Plus

rob@13485cert.com
14971 Plus - http://bit.ly/ShopCSA

rob@13485cert.com
14971 Plus =
Standard + Gap + Bonus Tools

rob@13485cert.com
Bonus Tools in 14971 Plus

rob@13485cert.com
Risk Management is a Process
4 – Risk Analysis
5 – Risk Evaluation
6 – Risk Control
7 – Residual Risk
Acceptability
8 – Risk Management
Report
9 – Production &
Post-production Info
Risk
Assessment
Risk
Management

rob@13485cert.com
Risk is Filter & Prioritization Tool
Quality
Issues
Quality
Plan
Risk
Analysis
Trend
Analysis
Formal
CAPA
We use a risk-
based approach
We always
initiate a CAPA
“Death by CAPA”

rob@13485cert.com
If it happens 3x…
• “How many nonconformities can occur before a
CAPA should be opened?”
– There is no “Rule of 3”
http://medicaldeviceacademy.com/minimum-data-points/

rob@13485cert.com
Mitigation vs. Control
• In the 2007 version of ISO 14971, the term
“mitigation” was removed.
• Mitigation implies elimination of risks, while
control implies reducing and monitoring risks.

rob@13485cert.com
Corrective Action (ISO 9001:2015)
• Clause 10.2 – Nonconformity & Corrective Action
– 10.2.1 When a nonconformity occurs, including those arising from complaints, the
organization shall:
a) react to the nonconformity, and as applicable:
1. take action to control and correct it;
2. deal with the consequences;
b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it
does not recur or occur elsewhere, by:
1. reviewing the nonconformity;
2. determining the causes of the nonconformity;
3. determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken;
e) make changes to the quality management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
NOTE 1 In some instances, it can be impossible to eliminate the cause of a nonconformity.
NOTE 2 Corrective action can reduce the likelihood of recurrence to an acceptable level.
– 10.2.2 The organization shall retain documented information as evidence of:
a) the nature of the nonconformities and any subsequent actions taken;
b) the results of any corrective action.

rob@13485cert.com
Definition of Risk in ISO 9001
• ISO 9001:2015, Clause 3.09 [Source: ISO DIS 9000:2014, 3.7.4] - effect
of uncertainty on an expected result
– Note 1 to entry: An effect is a deviation from the expected — positive or
negative
– Note 2 to entry: Uncertainty is the state, even partial, of deficiency of
information (3.50) related to, understanding or knowledge (3.53) of, an
event, its consequence, or likelihood.
– Note 3 to entry: Risk is often characterized by reference to potential
“events” (as defined in ISO Guide 73:209, 3.5.1.3) and “consequences” (as
defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
– Note 4 to entry: Risk is often expressed in terms of a combination of the
consequences of an event (including changes in circumstances) and the
associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of
occurrence.
– Note 5 to entry: The term “risk” is sometimes used when there is only the
possibility of negative consequences

rob@13485cert.com
Preventive Actions in ISO 9001:2015
Annex A.4 – Risk-based Approach
“One of the key purposes of a quality management
system is to act as a preventive tool. Consequently,
this International Standard does not have a
separate clause or sub-clause titled 'Preventive
action’. The concept of preventive action is
expressed through a risk-based approach to
formulating quality management system
requirements.”

rob@13485cert.com
Corrective Action (ISO 13485:2016)
Clause 8.5.2 – The organization shall take action to eliminate the cause of
nonconformities in to prevent recurrence. Corrective actions shall be appropriate
to the effects of the nonconformities encountered. The organization shall
document a procedure to define requirements for:
a) reviewing nonconformities (including complaints);
b) determining the causes of nonconformities;
c) evaluating the need for action to ensure that nonconformities do not recur;
d) planning and documenting action needed and implementing such action in
a timely manner, including, as appropriate, updating documentation;
e) verifying that the corrective action does not adversely affect the ability to
meet applicable regulatory requirements or the safety and performance of
the medical device; and
f) reviewing the effectiveness of corrective action taken.
Records of the results of any investigation and action taken shall be maintained

rob@13485cert.com
Preventive Action (ISO 13485:2016)
Clause 8.5.3 – The organization shall determine action to eliminate the causes of
potential nonconformities in order to prevent their occurrence. Preventive
actions shall be appropriate to the effects of the potential problems. The
organization shall document a procedure to describe requirements for:
a) determining potential nonconformities and their causes,
b) evaluating the need for action to prevent occurrence of nonconformities,
c) planning and documenting action needed, and implementing such action in a
timely manner, including, as appropriate, updating documentation,
d) verifying that the action does not adversely affect the ability to meet
applicable regulatory requirements or the safety and performance of
products, and
e) reviewing the effectiveness of the preventive action taken, as appropriate.
Records of the results of any investigations and of action taken shall be
maintained

rob@13485cert.com
21 CFR 820.100
a) Each manufacturer shall establish and maintain procedures for implementing corrective and preventive
action. The procedures shall include requirements for:
1) Analyzing processes, work operations, concessions, quality audit reports, quality records, service
records, complaints, returned product, and other sources of quality data to identify existing and
potential causes of nonconforming product, or other quality problems. Appropriate statistical
methodology shall be employed where necessary to detect recurring quality problems;
2) Investigating the cause of nonconformities relating to product, processes, and the quality system;
3) Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and
other quality problems;
4) Verifying or validating the corrective and preventive action to ensure that such action is effective
and does not adversely affect the finished device;
5) Implementing and recording changes in methods and procedures needed to correct and prevent
identified quality problems;
6) Ensuring that information related to quality problems or nonconforming product is disseminated
to those directly responsible for assuring the quality of such product or the prevention of such
problems; and
7) Submitting relevant information on identified quality problems, as well as corrective and
preventive actions, for management review.
b) All activities required under this section, and their results, shall be documented.

rob@13485cert.com
Containment & Correction
• 21 CFR 820.90 – Control of Nonconforming
Product (new language in ISO 13485:2016,
Clause 8.3.1) – determine the need for
investigation and notification of responsible
party
• Clause 8.3.2 – Actions taken
• 21 CFR 806 – Recalls/Corrections & Removals
(now ISO 13485:2016, Clause 8.3.3)
• Clause 8.3.4 – Rework (review the potential
adverse effects of rework)

rob@13485cert.com
Risk Controls
• Inspection – 21 CFR 820.80
• Process Validation – 21 CFR 820.75

rob@13485cert.com
21 CFR 820.250
Statistical Techniques
a) Where appropriate, each manufacturer shall establish
and maintain procedures for identifying valid statistical
techniques required for establishing, controlling, and
verifying the acceptability of process capability and
product characteristics.
b) Sampling plans, when used, shall be written and based
on a valid statistical rationale. Each manufacturer shall
establish and maintain procedures to ensure that
sampling methods are adequate for their intended use
and to ensure that when changes occur the sampling
plans are reviewed. These activities shall be
documented.

rob@13485cert.com
Quantitative Effectiveness Checks
Cpk = 0.837
Cpk = 2.50
Preventive Action

rob@13485cert.com
Definition of Risk in ISO 13485
• ISO 13485:2016, Clause 3.17 [Source: ISO
14971:2007, definition 2.16] – combination of
the probability of occurrence of harm and the
severity of that harm
P1 & P2 from Annex E of ISO 14971:2007

rob@13485cert.com
Hazard vs. Harm
• ISO 14971, Clause 2.3 – Hazard is a “potential
source of harm”
[ISO/IEC Guide 51:1999, definition 3.5]
• ISO 14971, Clause 2.2 – Harm is a “physical
injury or damage to the health of people, or
damage to property or the environment”
[ISO/IEC Guide 51:1999, definition 3.3]

rob@13485cert.com
Scoring CAPA Risks
Catastrophic Critical Serious Minor Negligible
5 4 3 2 1
Frequent 5 Unacceptable Unacceptable Unacceptable Unacceptable ALARP
Probable 4 Unacceptable Unacceptable Unacceptable ALARP ALARP
Occasional 3 Unacceptable Unacceptable ALARP ALARP ALARP
Remote 2 Unacceptable ALARP ALARP ALARP Acceptable
Improbable 1 ALARP ALARP ALARP Acceptable Acceptable
ALARP As Low as Reasonably Practicable
Rating
↓®
Severity

rob@13485cert.com
Average Aging of CAPAs

rob@13485cert.com
Risk
Analysis
CAPA & Risk Management Tasks
CAPA
Opened
CAPA
Closed
CAPA
Initiation
Root Cause
Analysis
Corrective
Action Plan
Implementation
Effectiveness
Verification
Hazard
Identification
Risk Control
Option Analysis
Risk
Assessment
Risk Control
Effectiveness Verification
Risk
Management
Plan

rob@13485cert.com
Process Types & Risk Controls
• Manual Processes
• Semi-Automated
Processes
• Automated Processes
• Batch Processes
• 100% Inspection
• Sampling Plans
• Automated Inspection
• Process Validation
Trend Analysis & Statistical Techniques

rob@13485cert.com
Quality Management System Planning
ISO 13485:2016, Clause 5.4.2
Top management shall ensure that:
a) the planning of the quality management system is carried
out in order to meet the requirements given in 4.1, as well as
the quality objectives, and
b) the integrity of the quality management system is
maintained when changes to the quality management
system are planned and implemented.
NOTE: Quality management system planning normally includes
identification and implementation of action items that are
intended to accomplish quality objectives, monitoring the
progress toward completion of action items, and revision to the
planning based on monitoring.

rob@13485cert.com
Change Management Advice
• Training Plan – Competency (ISO 13485:2016,
Clause 6.2b)
• Monitoring & Measurement Plan
– ISO 13485:2016, Clause 8.2.4 – Internal Audit
– ISO 13485:2016, Clause 8.2.5 – Monitoring &
Measurement of Processes
• Update your Master Validation Plan &
Revalidation Requirements

rob@13485cert.com
Other Training
http://medicaldeviceacademy.com/webinars/
http://medicaldeviceacademy.com/Amsterdam-510k-workshop/

rob@13485cert.com
Rob Packard
rob@13485cert.com
+1.802.281.4381
rob13485
Q & A
https://calendly.com/13485cert/15min

How to Create a Risk-Based CAPA Process

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to How to Create a Risk-Based CAPA Process

Similar to How to Create a Risk-Based CAPA Process (20)

More from Greenlight Guru

More from Greenlight Guru (20)

Recently uploaded

Recently uploaded (20)

How to Create a Risk-Based CAPA Process