Any good examples of CAPA forms that include a risk based approach?

[gemsmom]

I need help with coming up with an easy to follow CAPA form that meets the necessary requirements of the standard. Anybody have any examples? We are a very small business and the less complex the better.

 

[Golfman25]

Try a search for 8D forms. There are many examples.

 

[William55401]

I have no forms. But, a good practice is to assess both product risk as well as QMS risk in your process. Keep these items separate to drive prioritization.

 

[Ed Panek]

Classify it based on:

High Risk -

This change will impact a high number of users;

or impact a smaller number of users in a significant manner for the intended use of the device;

or this affects in any manner the safety of the device/device user.

Else; Low Risk

Something like this.

 

[yodon]

Realize that risk, per the standard, "pertains to safety or performance requirements of the medical device or meeting applicable regulatory requirements." So my hierarchy is along the lines of the product risk rankings with regulatory folded in. I generally use: death (if you have a CAPA that deals in this, you probably have bigger issues), serious injury, non-serious injury / major noncompliance, inconvenience / minor NC, annoyance.

You can try to fold in impact to number of users (patients) but an annoyance that may affect a broad population would need to be lower on the risk scale than something that potentially causes death, for example.

Possibly the more challenging aspect than ranking the risk is how that affects the CAPA process. For High risk, for example, do you set a target of establishing the root cause(s) and defining the action plan for, say 1 week? Whereas low risk maybe gets 30 days? (Please avoid a pre-defined target closure period as you can never hard-code the time it takes to establish effectiveness.)

 

[Bev D]

Our system includes two elements of risk. We use it for both our quality system compliance (which includes USDA regulations, etc.) and our product quality performance. The vast majority of our corrective actions (8D) are for product quality simply because these are the higher risk (effect and actual occurrence or defect rates). We use a simple 1-5 scale - although a 1-3 scale might work for you - for severity of effect and then we list the actual defect rate.

The key we have found is to keep it simple, don't guess, and be honest in your assessment.

 

[Cutepretty1]

After you have determined the risk (high, medium, or low) what do you require differently for the CAPA based upon the risk? Is the approach the same regardless of risk or are you doing anything differently for different risk CAPAs. What are the requirements between high, medium, and low risk?

 

[Enternationalist]

Something fundamental about a "risk-based approach" is that it is basically asking you not do things in a one-size-fits-all way. A philosophically "perfect" risk-based approach would take each element of a problem and analyse it deeply to come up with a rich description of the nature of risk at hand, and what actions are appropriate for that problem.

This is a good thing, because it means you don't need to go through an enormous process to resolve minor issues - and it means that you aren't "punished" for taking the time necessary to properly resolve major ones.

The complication, of course, is that people don't necessarily think the same way - so taking a risk-based approach in a way that is consistent for your organisation can be difficult to do. This is why there is a need to establish a framework of acceptance criteria, et cetera, for risks. If you're a one-person business (for the sake of argument), maybe you could just have a simple blank space for risk assessment as long as you are diligent enough to put in a consistent assessment every time; but it quickly gets hard and unreasonable to rely on this consistency.

For this reason, I would say this problem is much less about the form, and more about your general process, attitudes and conventions around risk assessment in general. If you are assessing the risk of something, how will you actually go about it? How will you write your justification? How will you make sure different things are assessed in a consistent and reasonably repeatable way?

If you can answer these questions, I think it will become obvious what sort of form you need to provide.

 

[yodon]

The MDIC has a "Case for Quality" initiative going and one of the Projects is for improving CAPA. They have a framework defined for a risk-based approach and have enrolled 15 companies to pilot the program. They had a public forum yesterday where they had one rep from one of the companies piloting discussing how it was going. I think the video will eventually be posted on their resource page but you can poke around on the site and see some earlier materials for the CAPA project.

This is also coupled with their NC Grading approach and, to me, it makes a lot of sense. In the forum yesterday, they did discuss being audited / inspected and, while there was some initial push-back, the auditors / inspectors eventually agreed that the approach met regulatory requirements. I think with a reputable organization like MDIC backing it, the concepts have a better chance at acceptance than just one company trying something new.

P.S. They are still looking for additional companies to participate in the pilot program.