Corrective action and preventive action (CAPA) policies and procedures have now been a mainstay for years in most life science companies’ quality management systems due to regulation adherence to standards. Across our business, and with our clients, we are seeing an increased emphasis on implementations across several standards and regulations, which address the needs of products marketed across multiple regulatory regions. With impressive technological advances, it is natural that companies are starting to develop products that span multiple sectors, and even multiple regulatory pathways. A not too far-fetched example might be a product that has a companion diagnostic via a software platform that determines the disease, is then treated by a personalized formulation of a stem cell allograft that utilizes a drug delivery system to targeted dose at a specific site, all of which would then be monitored by a health maintenance app on a mobile device. In this scenario, applying a CAPA / quality event system that is fit for purpose for all aspects of this cross-platform therapy is quite involved, with at least four regulations/standards to consider (medical devices, HCT/Ps, biologics, GAMP, etc.).
So, the question then becomes; what standard/regulation do you use for your CAPA system and how do you cover all the others? The answer is nuanced, but generally the use of ISO 13485 Section 8 and 21 CFR 820.100 for medical devices should be considered and all others applied in a ‘belts and braces’ approach. This paper will utilize 21 CFR 820.100 as the basis for CAPA system, then reconcile with ISO 13485 and finally build a highly efficient, best practices process.
Regulations and Constraints
The CAPA process is generally constricted by the regulations and standards as applied to our industry; to this day FDA still issues more 483 observations for CAPA deficiencies than any other category. FDA’s 21CFR820.100 requires the following elements, in order (paraphrased):
We will therefore use these elements and this process as the baseline for constructing our CAPA system. Since we want to ensure compliance to other regions/standards, we should also look at the other most common regulation, ISO 13485, Section 8, which is paraphrased below:
Now, before we get too deep into parsing the meaning of each step, and then building our new system, a few cautions need to be stated on the definitions of words used in both the FDA regulation and the ISO standard. The words correction, corrective action and preventive action are too often misused or misunderstood. Simply put, a correction addresses an immediate problem, a corrective action is intended to prevent recurrence and a preventive action is intended to prevent occurrence in the first place. The following example may best illustrate the differences.
Imagine a production area where a technician enters the room to find one tank of reagent spilling on the floor via an open valve. A correction would be to immediately stop the spill, perhaps closing an open valve. This is immediate, and often precedes opening a CAPA process (you wouldn’t want to wait to stop the reagent from continuing to spill). Later, after a CAPA process is initiated, a corrective action may be to put a lock or sensor on the valve to prevent/alarm when the valve is open. A preventive action would be to apply the same lock/sensor on the other tanks, even though (so far) no leaks have occurred on those tanks.
Another area of confusions seems to be around verification versus validation. Again, a simplistic way to differentiate is to consider the above leaking tank. After the corrective action or preventive action has been proposed, the effectiveness of the proposed solution can be determined via two approaches; perform a thorough/complete verification of the solution on a pre-production small scale, or off-line tank, or perform a statistical validation on the full-scale tank and process.
Therefore, a verification implies smaller scale, off-line testing with a generally thorough (100%) check of all the functionality, or a validation implies testing on the full-scale process, where a statistical approach is used to ensure reliability of key/critical parameters. By the way, FDA does not require one versus the other, but you must justify your approach as appropriate for your scenario.
So we have two CAPA processes to understand; FDA’s 820.100 and ISO 13485’s Section 8. We will have to clearly reconcile both processes. Before that occurs, we have to parse the meaning of each to understand how we can combine. Let’s start with FDA’s regulation (again paraphrased):
Now let’s parse the ISO Standard (also paraphrased):
Fortunately, both the standard and the regulation have reasonably similar approaches, which enables a modern CAPA system that can be compliant to both. Generally, the best approach is to start with the FDA regulation, since it is a bit more prescriptive than the standard, as use ‘belts and braces’ approach to the ensure compliance to the standard. We are therefore left with the following steps that cover both:
Based on the above reconciled steps, the CAPA process would look something like this:
Great. Now we have a CAPA process compliant to both the regulation and the standard. But is it efficient and do you get high performance? Not yet.
So, now that we have reconciled the differences between the regulation and standard, how best can we build this into an efficient, highly effective CAPA system? After all, a compliant system doesn’t mean it works well, and in fact can suffer from the opposite; ‘death by CAPA’, which will happen if all quality events / issues are treated the same (‘gumming up the works’). This is where a risk-based approach really helps; it prioritizes the efforts on those issues that require the most attention. Quite simply, if every issue that enters the CAPA process is treated with equal importance, then the system will quickly grind to a halt and important issues will be overlooked (due to lack of visibility). Essentially, a risk-based approach to your CAPA process prioritizes the important issues. The best approach I’ve seen, which by the wa, is built right into MasterControl’s CAPA module, is to apply a gateway assessment soon after the onset of the CAPA process to determine how big of an issue is being considered. The improved steps in the process then look like this:
And here is what the process flow looks like:
By implementing a risk-based gateway soon after the discovery and initial information are provided, a reasonably accurate risk assessment can be made that determines the criticality of the issue, the immediacy, the course of action and even whether an MDR or recall needs to be initiated. Note that if during the course of the root cause investigation additional or different information is made available that changes the risk assessment, and updated assessment may be needed.
So now, even though we added another step to the process, by sorting according to priority, we can focus on those quality issues that truly need attention. You will even find that a considerable number of issues that enter the process never actually become a CAPA. You may ask 'what then becomes of the non-CAPAs?' Well, quite simply, they are documented and closed out without a formal CAPA investigation.
Let's use our production area tank example under two different scenarios; the first is when the tank is on the production line and contains a caustic solution related to the sterilization of the device and it is leaking rapidly on to the floor. If you perform an initial risk-based assessment, you will find that the safety of both the end user and production personnel may be impacted and that there is a high probability of occurrence; therefore, the risk is high. I'm guessing that there are few readers that would argue that this is not a CAPA.
Now, let's change the scenario to where the tank in a remote area and is only dripping small drops of a non-sterile soapy cleaning agent used to prior to a final rinse. The safety impact is minimal to the end user and production personnel. The probability of the tank running dry is low; therefore, the overall risk is low. Does this belong in a formal CAPA investigation? Not likely. Instead, the issue is documented with the low risk assessment, turned over to engineering for a repair and closed out.
If you follow the classic Pareto principle, approximately 80% of quality events that enter the system ought to be low risk and closed out after an initial gateway risk assessment. The other 20% are indeed higher risk and should be formally investigated for root cause (and follow the rest of the CAPA process). Think about how that might change your CAPA system and free up valuable resources to actually investigate the quality events that really matter.
Peter Knauer is a partner with MasterControl's Quality Compliance Consulting (QCC). Peter is co-founder and managing partner of Sage BioPartners, a boutique regulatory, compliance and CMC consulting firm for medical devices, drug products and combination products. You can contact Peter at firstname.lastname@example.org or email@example.com