CAPA Management: Best Practices and FDA QSR Mandate WHITE PAPER ComplianceQuest In-Depth Analysis and Review
CAPA Management: Best Practices and FDA QSR Mandate Establishing a corrective and preventive action (CAPA) system is a quality system requirement for Medical Device firms marketing products in the United States. Although the FDA has always expected regulated industries to perform corrective and preventive actions, establishing a unified CAPA system makes good business sense. The first and most important step in creating any system is to include all regulatory requirements in the firm's standard operating procedures (SOPs). The following are seven key elements from 21 CFR 820.100 (Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action.) This should be included in a firm's SOPs: To get a handle on the CAPA system is a company wide effort. The following elements will provide what each company should do to create, maintain and leverage a sound CAPA platform. 1. Document Procedures It is important to define in a company's SOPs as which events should be promoted to a CAPA request and which qualified resource will have the final say. All the necessary CAPA process steps, which details on how a CAPA will be addressed, should be properly documented. 2. Qualified Resources QSR requirements mandate that companies have staff with qualified training, knowledge, and experience for the job. This staffing includes experienced quality assurance (QA) staff, who will manage the CAPA system. In addition, firms must invest in the databases and computer software that can perform the necessary processes. Device companies must include CAPA information in their required management reviews.
3. Information Source Companies should identify all the data sources they will use to recognize existing problems as well as potential problems for a CAPA system to function properly. A few of the good data sources for identifying existing and potential problems are acceptance activities, complaints, FDA-483 observations or warning letters, nonconformance or deviations, process monitoring data, calibration & preventive maintenance records, internal, external, supplier and third party audits, and customer or employee feedback. 4. Analyze Data should be examined on a regular basis. Trending should be done at least quarterly to be useful. In many cases, trending should be completed more frequently, such as on a monthly or daily basis. 5. Timeliness and Accuracy Are Key Companies must ensure the timeliness and accuracy of data being received into their systems. Companies must ensure that all the necessary data should be received, entered into a computer system and reviewed promptly. Such electronic systems must be 21 CFR Part 11 compliant, so records cannot be overwritten or deleted without a trace. Employees should be trained to immediately notify the QA department when they deviate from an established procedure or work instruction. A surveillance system is only as good as the information it receives. 6. Investigation As part of the investigation, companies must use statistical methods, when possible, so that they analyze data appropriately, while comparing data across different sources. The companies should look across all data, products, and facilities to detect recurring product problems as well as glitches within their quality system. While teaching employees how to conduct a problem investigation, they should also be trained to always include a good problem definition statement. It is helpful to review pertinent FDA inspection guides during
training and discuss how to investigate a problem using case studies from recent FDA-483s or warning letters. 7. Root-Cause Analysis Training It is essential that employees be competent in root-cause analysis and how to conduct a problem investigation. Causes often extend beyond the area or function where they are detected, so for major problems, assemble a crossfunctional team to perform the root-cause analysis. 8. Internal Audits FDA considers audits as one of the most important QA tools, so firms should routinely perform internal and quality audits. Current industry practice is to audit each QSR area at least once a year, and more frequently if there are problems in a particular area. Checking the status of CAPA items (to make sure that they are completed, and that the same problems are not repeating). It is an important step to take in an internal audit. 9. CA/PA Documentation, Follow-up and Reviews A clear and documented plan that includes deliverables and due dates should be developed as soon as the root causes of a problem are known. CAPA requests that have been open for more than a few months should require a written or periodic review to evaluate their status. Document that are expected to be complete, are still open, or whether additional resources are needed, etc. For long-term CAPAs, written status reports should be required, at least every 30 days. 10. Risk Management A clearly defined risk management process should be in place for elevating key items to senior management. Some companies may categorize risk by levels or by terminology (such as a critical, major, or minor risk a critical item being one that can lead to possible patient injury or FDA regulatory action). Many firms place a QA executive or management representative in charge of immediately notifying senior management about serious quality issues and ongoing
investigations. Routine information about quality system performance can be reported to management in periodic management reviews, monthly reports, weekly group meetings, etc. Bottom Line Depending on the maturity of a CAPA system, it may take some time to get it into the structure it should be. Bear in mind that a good way to start, is by improving any critical deficiencies first. Many companies in the medical device industry will admit that they are not yet pleased with (and are continually improving) their CAPA system. A company's CAPA system gets to the heart of all its employees' ability to think critically, to the quality and caliber of its QA executive and staff, and to the organization's commitment to the quality of its products. About ComplianceQuest: ComplianceQuest, an innovative 100% cloud based Enterprise Quality Management System solution company, provides an enterprise grade solution platform that streamlines quality, compliance, content and collaboration management initiatives and strategies across your enterprise and globally based supply chain networks. ComplianceQuest helps accelerate manufacturers and distributors to accomplishing their most challenging quality, compliance and supplier management goals. http://compliancequest.com/ ComplianceQuest, 2014