I've long been troubled by the ubiquitous acronym used to refer to corrective action: CAPA. My gut reaction borders on the irrational. Most of you reading this have heard of or read about or used the acronym hundreds of times. And you're probably wondering why the two syllables CA-PA should produce such an extreme reaction - especially in someone who spends a great deal of her time teaching people about both corrective action and preventive action. The short answer is simple: They're two separate processes that have been mashed together resulting in a diminution in the effectiveness of both.
I decided to go back to 21 CFR Part 820 and see if I could figure out how this all started. I compared the text of the CFR with that of both ISO 9001:2008 and ISO 13485:2003. And I had an epiphany. There's a subtle difference in the text that could very well be the cause of this long perpetuated disconnect.
In the CFR, under Subpart J 820.100 Corrective and preventive action, it states: "...The procedures shall include requirements for: ...Analyzing processes, work instructions...and other sources...to identify existing and potential causes of nonconforming product, or other quality problems." So, the intent of this requirement is focused entirely on existing problems. It requires identification of actual causes as well as other possible causes of the known problem or defect. Again, it's dealing with an existing problem.
Now, let's look at the text of ISO 9001:2008, which is the foundation for ISO 13485:2003 the sector-specific quality management system for organizations dealing with medical devices, (so - the text in both standards is identical). Under 8.5.2 Corrective Action, organizations are required to: "...take action to eliminate the cause of nonconformities in order to prevent recurrence."
The text, like that of the CRF is focused on actual nonconformities.8.5.3 Preventive action has slightly different language (...and herein lies the ambiguity).Its requirements relate to:
This is where the two documents diverge. Note that the CFR never addresses potential problems. As a matter of fact, it is silent on the subject of risk, which is essentially what preventive action is all about: addressing risks - the potentiality for a problem, nonconformity or product defect - and mitigating or completely eliminating the problem and/or consequence.
Of course, the technical experts who authored the ISO 9001 standard probably exacerbated this misconception by locating the subclause on preventive action directly after the one for corrective action. This created the erroneous perception that preventive action is a segue to corrective action. The fact is that if you are proactive by first addressing the possibility that something will go wrong, there's a good chance you'll have less problems and will be, therefore, conducting fewer corrective actions.
So, if an organization is required to conform to both 21 CFR Part 820 and ISO 13485 or ISO 9001, the documentation for preventive action will be ambiguous, unless very careful attention is paid to the language in the documented procedures relating to both corrective action and preventive action. Why is this a big deal?
Consider: the CFR is essentially focused on medical devices. But the biomed and pharmaceutical industries, due to obvious similarities in markets, have adopted the CAPA concept wholesale. In addition, they flow these requirements down to their first, second and third tier suppliers. CAPAs are everywhere. Everyone's doing CAPAs despite the fact that few organizations truly understand the requirement, the intent or how to implement a corrective action process effectively and efficiently.
The CAPA forms predictably will have a section for immediate corrective action and then preventive action--or long term corrective action. What they should have is a section for immediate action (which might include activities like issuing a temporary deviation notice as a stop gap measure) and then corrective action. Unfortunately, in the space provided for immediate action, people often include stuff that correlates more precisely to the sections in both standards dealing with control of nonconforming material. (Subpart I 820.90 in the CFR and 8.3 in ISO 9001).
The documented procedure should clearly explain that corrective action includes actions to prevent recurrence. Preventive action should be a separate procedure that addresses potential problems and that is built into multiple other processes, such as product and process design with tools such as fault tree analyses (FTA) or failure modes and effects analysis (FMEA).
By ensuring proper definition and implementation, organizations facilitate their ability to fulfill the requirements of both standards in such a way as to experience optimum return on investment for resources expended in both processes. Otherwise they end up with lots of paper shuffling that has no appreciable value.
What's the payback of separating the two processes and ensuring appropriate definition of both?
1) People will stop confusing evaluation of defective product with root cause analysis of the cause of the defect or undesirable condition. Example: A device has been returned because it's defective. Evaluation shows that the inner diameter of the tube is undersize by .08 cm. Action to correct the defect might be to ream out the bore to the right diameter. This action is called "correction" and is described in ISO 9000:2005 Quality management systems - Fundamentals and vocabulary. The definition reads: "3.6.6 correction: action to eliminate a detected nonconformity." Without a sufficient understanding of corrective action, the average technician assumes that figuring out that the bore is the wrong size constitutes root cause analysis. The opportunity to aggressively search for the cause—why did we bore the tube out to the wrong diameter?—is lost.
2) People will stop confusing preventing recurrence with preventing occurrence. The former (preventing recurrence) is action addressing the cause of a nonconformance. It is a reactive process built into corrective action. The latter (preventing occurrence) is the process of investigating potential problems and preventing the occurrence. It is a proactive process. In an industry that often engenders significant risk to human beings, this second process would seem to be the more effective and valuable process. This leads us to 3.
3) Organizations can finally spend appropriate resources on mitigating risk and preventing terrible and costly things from happening. The cost of preventing defects and accidents is often considerably less than dealing with reworks, repairs, scrap, fines, warranty issues, libel suits, downtime, injury, etc. We all need to establish controlled processes that foster a culture in which we can responsibly address potential problems. This is where the true cost savings occur.
Based on this discussion, what should organizations do?
First, organizations must clearly define terms and describe processes in such a way as to fulfill the requirements of both the CFR and ISO 9001 - or whatever QMS standard has been adopted.
Second, they should develop forms that facilitate comprehension of the unique deliverables from different QMS requirements. There should be a form for dispositioning nonconforming material and related actions such as containment, sorting, notifications, etc. A separate form would be used for corrective action that focuses solely on addressing the cause of the problem. This allows the organization to approach the situation more globally and ask if there have been similar occurrences. It also makes it easier to see beyond the area in which the defect was first detected and to more effectively assess ancillary processes. It is not necessary to have a form for preventive action unless the organization feels that this will facilitate implementation of the process. But, since preventive actions are usually associated with other processes (like FMEA, 5-S, Kaizen or improvement projects), having a form might result in unnecessary redundancy.
Third, the organization should ensure adequate training of individuals involved in the corrective action process. People who don't understand the process or the deliverables will fall back into either correction mode or the ubiquitous "operator error" pitfall.Fourth, start doing prevention actions. Remember, the better job you're doing with preventive actions, the fewer corrective actions you'll have to do.
Fifth, make sure that when you initiate corrective action that you conduct thorough root cause analysis. Use the many tools available to you: 5 Why's, brainstorming, fishbone diagrams, design of experiment, auditing, flowcharting and any others you may have at your disposal. Be aggressive and don't be afraid to ask the hard questions. Ensure that conclusions are based on verifiable fact and not on anecdote or innuendo.
Sixth, develop a robust and complete corrective action plan. Include appropriate consideration of documentation, people needed, training requirements, equipment issues, money and time needed, impact on other processes, etc. Don't exclude people. Commit to doing it right this time so you don't have to address the same problem in six months.Seventh, follow-up. Develop appropriate metrics and methodologies to monitor the action so that you can objectively verify that the action taken was effective. This gives you the added bonus of having the information available to benchmark great ideas that have come out of the action taken.
Finally, stop calling them CAPAs. If you can't bring yourself to abandon the acronym try reversing it and calling them "PACAs." At least then you'll have started on the path to the corrective action of an errant acronym that is exercising too much control over two distinct and important processes.
Denise Robitaille is the author of nine books. She is an internationally recognized speaker who brings years of experience to the quality profession. She is a Fellow of the American Society for Quality. In 2005, she was recognized in Quality Digest as one of the "Drivers of Quality."
She is a member of US TAG to ISO/TC176, where she participates at the international level with other colleagues in the revisions to the ISO 9000 family of standards. She is also an RAB-QSA certified lead assessor and an ASQ Certified Quality Auditor.
Denise has helped numerous organizations to achieve ISO 9001 registration and to improve their quality management systems. She has conducted training courses for thousands of individuals on such topics as document control, corrective action, root cause analysis, management review, auditing and implementing ISO 9001. Denise's books include: The Corrective Action Handbook, The Management Review Handbook, Document Control: A Simple Guide to Managing Documentation, The Preventive Action Handbook, Managing Supplier Related Processes and The Insiders' Guide to ISO 9001:2008 (co-author). She is a regular columnist for Quality Digest and The Auditor and is the author of numerous articles. Denise can be contacted at by phone at 781-582-0088 and by email at DERobitail@cs.com.