Creating a Risk-Based CAPA Process ISO 14971 ISO 13485, Clause 8.5.2 / 8.5.3
Inputs to the CAPA Process CAPA is the heart of a Quality Management System (QMS) and indicates how effective the QMS is: NCMR’s VOC Surveys Complaints Internal Audits Mngt. Review CAPA’s Effectiveness MAUDE Clinicals Service Validation Risk Analysis
Where is risk as in Input? NCMR’s VOC Surveys Complaints Internal Audits Mngt. Review CAPA’s Effectiveness MAUDE Clinicals Service Validation Risk Analysis
Why Risk-Based? 21 CFR 820 – 1 instance of the word “risk” ISO 9001:2008 – 3 instances of the word “risk” ISO 9001:2015 – 43 instances of the word “risk” ISO 13485:2003 – 4 instances of the word “risk” ISO 13485:2015 – 47 instances of the word “risk” “13485 Plus” is a guidance document that was published by the Canadian Standards Association in February 2006. I have been recommending it over all other guidance documents for quality system implementation since 2010. It mentions the word “risk” 60 times. http://bit.ly/13485Plus
14971 Plus - http://bit.ly/ShopCSA For those of you that are implementing ISO 14971 for the first time, or if you are going to audit the risk management process for the first time, I highly recommend purchasing “14971 Plus” from the Canadian Standards Association. It is the only guidance document that I know of for the implementation of ISO 14971. I provided a link and a screen capture for anyone that is interested in purchasing it.
14971 Plus = Standard + Gap + Bonus Tools “14971 Plus” does not include the Annexes in the back of ISO 14971, but it does include the complete copy of each clause from the ISO 14971:2007. In addition, it includes a small text box beneath each clause explaining the changes that were made between ISO 14971:2000 and ISO 14971:2007. The beginning of the guidance document also includes an implementation plan with a sample Gantt Chart.
Bonus Tools in 14971 Plus The most valuable parts of “14971 Plus” are the bonus tools in each section. Anyone that is going to be auditing the risk management process will find the questions extremely valuable. The ability to cut-and-paste these questions out of the PDF version and put them into an internal audit checklist a huge timesaver that more than justifies the expense for the electronic version. You may also want to purchase the hardcopy version. It comes with a spiral binding that makes it easy to flip through during an audit or when you are writing risk management documents.
Risk Management is a Process 4 – Risk Analysis Risk Assessment 5 – Risk Evaluation 6 – Risk Control Risk Management 7 – Residual Risk Acceptability 8 – Risk Management Report This diagram identifies the various steps of the risk management process, and each number represents the corresponding clause in the ISO 14971 Standard. In the first edition of the Standard, issued in 2000, the focus was on risk assessment. However, in 2007 the second edition of the Standard was issued and the title was changed to Risk Management. The biggest emphasis throughout the second edition of the Standard is the focus on gathering post-production information, which is the last clause in the Standard, and reviewing that information for its potential impact upon your risk analysis and risk controls. 9 – Production & Post-production Info
Risk is Filter & Prioritization Tool “Death by CAPA” CAPA Quality Issues Quality Plan Risk Analysis Trend Analysis Formal CAPA We use a risk-based approach We always initiate a CAPA
Mitigation vs. Control In the 2007 version of ISO 14971, the term “mitigation” was removed. Mitigation implies elimination of risks, while control implies reducing and monitoring risks. In addition to the focus on gathering post-production information in the second edition, the 2007 version of ISO 19471 also no longer includes the term mitigation. Instead mitigation was replaced by the concept of risk controls in Clause 6. The term “mitigation” implied that risks could be completely eliminated, while the term “risk control” implies the more realistic concept of reducing and monitoring risks.
Corrective Action (ISO 9001:2015) Clause 10.2 – Nonconformity & Corrective Action 10.2.1 When a nonconformity occurs, including those arising from complaints, the organization shall: react to the nonconformity, and as applicable: take action to control and correct it; deal with the consequences; evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it does not recur or occur elsewhere, by: reviewing the nonconformity; determining the causes of the nonconformity; determining if similar nonconformities exist, or could potentially occur; implement any action needed; review the effectiveness of any corrective action taken; make changes to the quality management system, if necessary. Corrective actions shall be appropriate to the effects of the nonconformities encountered. NOTE 1 In some instances, it can be impossible to eliminate the cause of a nonconformity. NOTE 2 Corrective action can reduce the likelihood of recurrence to an acceptable level. 10.2.2 The organization shall retain documented information as evidence of: the nature of the nonconformities and any subsequent actions taken; the results of any corrective action.
Definition of Risk in ISO 9001 ISO 9001:2015, Clause 3.09 [Source: ISO DIS 9000:2014, 3.7.4] - effect of uncertainty on an expected result Note 1 to entry: An effect is a deviation from the expected — positive or negative Note 2 to entry: Uncertainty is the state, even partial, of deficiency of information (3.50) related to, understanding or knowledge (3.53) of, an event, its consequence, or likelihood. Note 3 to entry: Risk is often characterized by reference to potential “events” (as defined in ISO Guide 73:209, 3.5.1.3) and “consequences” (as defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these. Note 4 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of occurrence. Note 5 to entry: The term “risk” is sometimes used when there is only the possibility of negative consequences
Preventive Actions in ISO 9001:2015 Annex A.4 – Risk-based Approach “One of the key purposes of a quality management system is to act as a preventive tool. Consequently, this International Standard does not have a separate clause or sub-clause titled 'Preventive action’. The concept of preventive action is expressed through a risk-based approach to formulating quality management system requirements.”
Corrective Action (ISO 13485:2015) Clause 8.5.2 – The organization shall take action to eliminate the cause of nonconformities in to prevent recurrence. Corrective actions shall be appropriate to the effects of the nonconformities encountered. The organization shall document a procedure to define requirements for: reviewing nonconformities (including complaints); determining the causes of nonconformities; evaluating the need for action to ensure that nonconformities do not recur; planning and documenting action needed and implementing such action in a timely manner, including, as appropriate, updating documentation; verifying that the corrective action does not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the medical device; and reviewing the effectiveness of corrective action taken. Records of the results of any investigation and action taken shall be maintained
Preventive Action (ISO 13485:2015) Clause 8.5.3 – The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be appropriate to the effects of the potential problems. The organization shall document a procedure to describe requirements for: determining potential nonconformities and their causes, evaluating the need for action to prevent occurrence of nonconformities, planning and documenting action needed, and implementing such action in a timely manner, including, as appropriate, updating documentation, verifying that the action does not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of products, and reviewing the effectiveness of the preventive action taken, as appropriate. Records of the results of any investigations and of action taken shall be maintained
21 CFR 820.100 Each manufacturer shall establish and maintain procedures for implementing corrective and preventive action. The procedures shall include requirements for: Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems; Investigating the cause of nonconformities relating to product, processes, and the quality system; Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems; Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device; Implementing and recording changes in methods and procedures needed to correct and prevent identified quality problems; Ensuring that information related to quality problems or nonconforming product is disseminated to those directly responsible for assuring the quality of such product or the prevention of such problems; and Submitting relevant information on identified quality problems, as well as corrective and preventive actions, for management review. All activities required under this section, and their results, shall be documented.
Containment & Correction 21 CFR 820.90 – Control of Nonconforming Product (new language in ISO 13485:2015, Clause 8.3) 21 CFR 806 – Recalls/Corrections & Removals
Risk Controls Inspection – 21 CFR 820.80 Process Validation – 21 CFR 820.75
21 CFR 820.250 Statistical Techniques Where appropriate, each manufacturer shall establish and maintain procedures for identifying valid statistical techniques required for establishing, controlling, and verifying the acceptability of process capability and product characteristics. Sampling plans, when used, shall be written and based on a valid statistical rationale. Each manufacturer shall establish and maintain procedures to ensure that sampling methods are adequate for their intended use and to ensure that when changes occur the sampling plans are reviewed. These activities shall be documented.
Definition of Risk in ISO 13485 ISO 13485:2015, Clause 3.14 [Source: ISO 14971:2007, definition 2.16] – combination of the probability of occurrence of harm and the severity of that harm P1 & P2 from Annex E of ISO 14971:2007
Hazard vs. Harm ISO 14971, Clause 2.3 – Hazard is a “potential source of harm” [ISO/IEC Guide 51:1999, definition 3.5] ISO 14971, Clause 2.2 – Harm is a “physical injury or damage to the health of people, or damage to property or the environment” [ISO/IEC Guide 51:1999, definition 3.3] The concepts of hazards and harms are important for everyone to understand when they are discussing risk management, and frequently we use these terms interchangeably when we shouldn’t. I have provided the definitions from the ISO 14971 Standard, but the best way to remember the difference is with an example. An example of a hazard is a ladder with a broken rung. An example of a harm is what happens to you when the rung breaks, you fall 10 feet, and you hit the ground.
CAPA & Risk Management Tasks Hazard Identification Risk Management Plan Risk Control Effectiveness Verification Risk Assessment Risk Analysis CAPA Initiation Root Cause Analysis Corrective Action Plan Implementation Effectiveness Verification CAPA Opened CAPA Closed Risk Control Option Analysis
Process Types & Risk Controls Manual Processes 100% Inspection Semi-Automated Processes Sampling Plans Automated Inspection Automated Processes Process Validation Batch Processes Trend Analysis & Statistical Techniques
Quality Management System Planning ISO 13485:2015, Clause 5.4.2 Top management shall ensure that: the planning of the quality management system is carried out in order to meet the requirements given in 4.1, as well as the quality objectives, and the integrity of the quality management system is maintained when changes to the quality management system are planned and implemented. NOTE: Quality management system planning normally includes identification and implementation of action items that are intended to accomplish quality objectives, monitoring the progress toward completion of action items, and revision to the planning based on monitoring.
Change Management Advice Training Plan – Competency (ISO 13485:2015, Clause 6.2.2b) Monitoring & Measurement Plan ISO 13485:2015, Clause 8.2.2 – Internal Audit ISO 13485:2015, Clause 8.2.3 – Monitoring & Measurement of Processes Update your Master Validation Plan & Revalidation Requirements
Other Training Webinars How to Improve Your CAPA Process http://medicaldeviceacademy.com/5-ways-improve-capa-process/ http://medicaldeviceacademy.com/implementing-risk-management-process-compliant-iso-149712007-address-seven-deviations-identified-en-iso-149712012/
Q & A 1. If you were going to maintain both an ISO 9001 and ISO 13485 quality system, how would you reconcile the differences in the definition of risk for device and pharma companies? 2. As a follow-up to the last question, how would you address Clause 8.5.3 for preventive actions that no longer exists in ISO 9001:2015? 3. I heard someone use the terms "Product Risk Management" and "Process Risk Management". Could you explain how these two concepts relate to risk-based CAPAs? 4. Would you use a process failure modes and effects analysis (pFMEA) for documenting risk-based CAPAs? rob@13485cert.com
Do You Need Help Updating Your Quality System to ISO 13485:2015? Rob Packard rob@13485cert.com +1.802.281.4381 rob13485