Beyond CAPA: Using Risk Assessment to Streamline Your Quality System
The result is thousands upon thousands of CAPAs, with varying degrees of severity, assigned in the order they were created—a pile of virtual papers stacking up on the quality assurance manager’s inbox. This becomes a problem when the “critical” CAPAs—those events that have the most impact on the business as a whole—become lost in the pile, hidden among non-critical, immediately correctable events, and virtually invisible to the enterprise.
Following is a new risk-based methodology that effectively can reduce CAPAs as a whole. By employing this methodology, crucial CAPAs are extracted to determine the overall business impact, correct the problem and implement the change throughout the enterprise.
Why CAPA Needs Help
Where does this problem begin? CAPA is an effective means of identifying and correcting quality and compliance events within the organization, and it is the heart of the quality system. However, if every event becomes a CAPA, then the bottleneck in the system becomes the CAPA process—a quality system heart failure. How do we keep our CAPA process healthy?
Does every event need to be a CAPA? Are there are non-critical events in a quality system? Whether it is an anomalous cosmetic defect on a single lot on the line, or simply a minor complaint, these events, while important to address, can be handled directly within the process in which it was found. This concept of immediate correction saves time and effort, avoiding a long CAPA process. With the proper documented process, immediate corrections can be effective in handling events while still adhering to your quality standards and practices. That said, trend analysis on immediate corrections can give light to any systemic events that may require a CAPA.
By implementing immediate corrections and trend analyses, you free up time for the critical events. But how do you discern between the non-critical and the critical? The answer is risk assessment.
Risk Assessment Finds Needles in the Haystack
Risk management and risk assessment are not new to the quality and compliance industry. In fact, risk has been a prominent feature in such standards as ISO 13485:2003, ISO 14971 and more. Here risk is used to effectively extract the critical events as they are recorded and automatically initiate an investigation for a CAPA.
As events come into the system, whether a complaint, a nonconformance, an audit or any other event, the initial form will have a risk table that includes information such as severity, frequency or pre-defined risk elements. Based on the risk table results, the event can be either immediately corrected within the process or investigated more thoroughly. The recorded results build a knowledge base of potential critical events to further automate the risk assessment process.
CSI: CAPA Severity Investigation
We have filtered potential critical events using risk-based filtering. The CAPA process could start here, but in an enterprise environment, there may be more details to consider before arriving at that point. Many organizations are adopting an investigation process, a kind of “pre-CAPA” due diligence. This involves subject-matter experts, additional risk filtering, statistical analyses, material review board assessments and more, all with the overall goal of determining the enterprise impact of these events. There may be events that have true strategic, financial and/or operational impact on the business and require an investigation to ensure the right department or individual is handling the process.
When the event finally enters the CAPA process, it is a significant, critical event that will have a true impact on the quality system, or the company as a whole.
The CAPA Process
Up to this point, we have defined the overall level of risk and problems associated with events. We have linked the event to a process and measured the process’ effectiveness. The CAPA process involves using this collected information to create a CAPA action plan with a series of assignments, verification criteria and list of related events. The CAPA action plan ultimately launches the process that will correct the event, lowering the risk and overall impact on the company.
After CAPA—What Now?
The CAPAs transform things in a company. They can change processes, affect documentation, affect employee training and have an impact on the entire company. As a CAPA finishes its cycle, it is important that the system is linked to document control, change management, deviations, training and more. The result of a CAPA can initiate document change requests, process change, training on new documents, product deviations—anything affected by the outcome of the CAPA automatically is linked and integrated, closing the loop on the CAPA process.
Benefits of Filtering CAPA
Risk Assessment Strategy: From Concept to Reality
Many leading medical device manufacturers employ a risk assessment strategy to streamline the CAPA process. In several cases, technology is leading the charge in not only employing this methodology, but further automating the process. Look for quality management software systems that incorporate risk assessment to the CAPA process or tools that are able to filter out critical events and set priority levels to them. The key is finding a system that has the flexibility and depth to match your business processes, while improving your operational control using filtering, risk and investigation. Many systems have integration technologies to link to other external business systems and other processes (eg, document control, deviation, change management, etc.).
Implementing such a system is a bold step toward improving the operational control your business has on event management. By using concepts such as immediate correction, investigation, risk assessment, filtering and DMAIC process-based CAPA, your business will be able to streamline the CAPA process, eliminate events that are immediately correctable and focus your quality system on the essential events that have the most impact on your business. The end result is that CAPA will become a focused process with true operational impact, and not just a catchall.
Tim Lozier (firstname.lastname@example.org) is the corporate development manager for EtQ, Inc. in Farmingdale, NY. He has extensive experience in the software industry, and has been involved in the creation of leading-edge technologies in user interface design and development for companies such as Quark, where he was an application development engineer. EtQ, Inc. is an enterprise quality and environmental management software company that integrates flexible workflow to automate quality processes.