We see a few common threads when it comes to issues with CAPA in companies. Usually they’re making one of the following mistakes:
- They treat every issue as a CAPA-worthy incident. When this happens, companies can find themselves overburdened with paperwork and are under-resourced to deal with the onslaught of work. We call this “death by CAPA.”
- They don’t escalate issues to CAPA when the issues warrant it. This runs the risk of FDA warning letters and undue delays with maintaining safe and effective products on the market.
With these pointed out, it’s important for medical device companies to be able to distinguish whether an issue warrants a CAPA or not. Both overuse and underuse of CAPA can have negative consequences for the company.
Here are some thoughts on what you should look for to trigger a CAPA:
The Purpose of CAPA
A key thought to keep in mind about CAPA is that it is meant to be a system for addressing systemic quality issues. It is not to be treated as a warning system - it’s the mechanism that comes into play once you’ve received the trigger or warning. The overall purpose of CAPA is to find the root cause of an issue and develop a successful treatment plan for it.
The Systems That Feed CAPA
As you would have gathered, a CAPA might come from any area of the Quality Management System that qualifies as a systemic quality issue. It is fed into by other systems such as:
- Customer complaints
- Audits - both internal and external
Let’s take a closer look:
A nonconformance is often an issue that is related to the manufacturing of your medical device. As an example, perhaps you inspect some components or parts and find that they don’t meet required specification or inspection criteria. This would trigger a nonconformance.
As with many other components of medical device development, nonconformance triggers a process, which involves an investigation. You will need to document the occurrence, your investigation and any actions taken to remedy the situation; however, you don’t necessarily need to escalate the incident to creating a CAPA.
As a matter of fact, it’s very rare for a single nonconformance incident to trigger a CAPA. This is because you usually can handle that issue by following your nonconformance procedure.
So, when is a CAPA necessary? Usually when you see the same nonconformance problems repeatedly, indicating systemic issues.
If you’re finding that the same part is always failing inspection criteria despite nonconformance procedure being followed, you have a CAPA situation where more work needs to be done on the root cause and prevention or correction.
Complaints are generally going to occur after your product has shipped and the definition of a complaint is quite broad and far-reaching. According to definitions from FDA and ISO 13485:2016, any report of an issue or dislike of the product from the customer is termed as a complaint. It can be a much bigger deal than nonconformances because your product is already on the market and there are much wider implications for risk to your company.
As with nonconformances, a complaint in itself triggers an investigative process. This should identify what the issues are, how they affect the customer and what the root causes are for the problem. Also similarly to nonconformance, a single incident likely will not trigger a CAPA. Again, the key is systemic issues, so the same sort of complaint repeatedly could lead to a CAPA being enacted.
It’s important to note here that there’s really no set number when it comes to determining if a complaint should be considered systemic and worthy of CAPA. You will need to evaluate the bigger picture and note factors, such as the time between complaints or the circumstances around them.
There is a very big “but” here when it comes to complaints…
BUT, the exception to looking for a systemic pattern of complaints is any incident where an adverse event, such as injuries or the patient and/or customer getting hurt occur. Incidents like this always warrant a more thorough investigation and should be brought under CAPA. For the sake of risk to your company--and most importantly risk to patients, anything like this should be treated seriously because the ramifications of someone getting hurt can be huge.
We wrote recently about managing CAPA from internal audits. A couple of key points were to ensure you have a clearly documented process for CAPA, that you keep good records and that you clearly define what should fall under CAPA.
Your audits, whether internal or external tend to be a key source for CAPA, but as with the previous contributors, the key factors emphasized for whether CAPA is necessary are quantity and severity. If you look to ISO 13485 and ISO 14971 definitions of risk, they look at probability of occurrence in combination with the severity of the issue.
A severe issue will always trump the fact that it’s the first reported occurrence, while multiple (systemic) reports of an incident will trump its lack of severity.
You have a number of tools and mechanisms at your disposal within the medical device development environment. Make use of your risk management tools to determine what path you should take - to CAPA or not to CAPA?
Whenever an incident occurs, there should always be a connection with risk management. You should first turn to the risk management documents for the product and check them over. Did you already consider and capture the particular issue in your documents? If not, then it’s time to update them. If so, did you calculate the risk appropriately previously? CAPA may be used as a way to mitigate that risk going forward because the root cause should be addressed and resolved.
Change management is another mechanism that all companies should already have in place. It may be known by different terminologies (change control, change requests, change orders etc.), but the bottom line is that it is a system that should be used regularly and may be triggered by any of the previous systems we’ve talked about.
For example, if you have single incidents of complaints or nonconformances, these may trigger a change in your documentation, labeling, product, design or specifications. Change management is your way of documenting what is changing. Perhaps the whole incident can be handled this way and there is no need for CAPA.
Design controls are another system that may come into the picture. These other mechanisms may be the better way to address the issue, rather than devoting resources to an unnecessary CAPA.
If anything, remember these two considerations when it comes to deciding whether a CAPA is necessary: quantity and severity.
You don’t want to create a burdensome system where everything is put through CAPA as this is a huge commitment of resources which, for most companies, will be difficult to commit to without drastically impacting lead times.
You also don’t want to underuse CAPA and leave out issues that should have been given CAPA treatment. This can also create headaches, such as 483's and extensive work required after auditing.
Consider the other systems that you have at your disposal; are any of them a more appropriate mechanism for taking care of the issue? CAPA is intended for systemic or severe issues, but is definitely not necessary for every issue you strike.