Root Cause and Corrective Action for CAPA's lacking validation/verification

[mrsrobinson1110]

Our 13485 auditor found that some of our corrective and preventive actions lacked adequate verification or validation activities/documentation. My question is, how would I go about completing an investigation and root cause analysis on a procedural problem? I find myself repeating the same things for both......when completing an investigation/root cause analysis for a specific issue or problem, the investigation and root cause analysis are fairly straight forward, but I'm having trouble with what to put on procedural corrective action reports. Any suggestions? Thanks!

 

[Tagin]

When you say "CAPA's lacking validation/verification", was the auditor referring to 8.5.2f & 8.5.3e ("reviewing the effectiveness of the corrective/preventive action taken, as appropriate")? If not, what clause(s) did the auditor cite?

 

[Sinus Tarsi]

The five why's. Here's a good explanation:

Root Cause Analysis - The 5 Whys Technique (visual-paradigm.com)

 

[Bev D]

Here’s to you mrsrobinson LOL: What kind of corrective and preventive actions were found to be non complaint? Can you give specifics? Can you quote the finding?

 

[QuickSpace]

Our 13485 auditor found that some of our corrective and preventive actions lacked adequate verification or validation activities/documentation. My question is, how would I go about completing an investigation and root cause analysis on a procedural problem? I find myself repeating the same things for both......when completing an investigation/root cause analysis for a specific issue or problem, the investigation and root cause analysis are fairly straight forward, but I'm having trouble with what to put on procedural corrective action reports. Any suggestions? Thanks!

If I'm getting your question right, below is my input. Basically, when you are defining a Corrective and preventive action plan, you should always identify what is your plan to verify those corrective and preventive actions after it is implemented. For example, as part of a Corrective action plan, you are introducing a new process, updating that in your procedure, and releasing it, your verification will basically be, to verify whether the new process is implemented by your team, to see if there is the occurrence of same nonconformance which may be attached the evidence to it, it can be anything. If your corrective action is providing training, your verification will be training effectiveness evidence and training record. Verification would be checking your corrective action is effective - as simple as that.

 

[Bev D]

If you implement a “new process” verification would be that some procedural document was written or revised and released and probably that training was completed. BUT final validation of EFFECTIVENESS would be to audit/review/observe that the new process eliminated or substantially reduced the actual occurrence of the non conformance.

 

[mrsrobinson1110]

The auditor said specifically

"your firm failed to include requirements for validating the corrective and preventive actions to ensure that such action is effective and does not adversely affect the finished device. In addition, CAPA records reviewed during the inspection did not include verification or validation activities to demonstrate effectiveness."

I believe the problem stemmed from the CAPA's being written in such a way that there was an assumption that if the stated action was completed then the action would be effective. The actions WERE effective, but there was lack of follow-through in documenting the proof. I'm having a hard time putting into words how to validate a corrective action that is intended to correct un-validated corrective actions. It feels like I'm talking in circles! I think I'm going to go with re-training and verification/validation will be done during next audit.

 

[Ronen E]

My take:

First, Verification and Validation are not the same. They are actually quite different, at least in my world. When someone instructs you to "verify something" or they instructs you to "validate something", referring to the exact same "something", the resulting course of action necessary to comply with such instruction can be significantly different. Further, when it's required to "verify or validate" that "thing", it's quite different from requiring to verify it; to validate it; or to verify and validate it - because "verify or validate" means you can choose either, and suffice with that only (which to me doesn't make too much sense - the person should know what exactly they require, and if they don't they should use words like "ensure")... In the regulatory field words do matter. A lot.

Second, it's critical to note what exactly we're required to verify or validate.
Is it:
"the CAPA"...?
"the CAPA activity"...?
"the CAPA effectiveness"...? (and does that relate to the non-recurrence of the NC, or to the elimination of the perceived root cause?)
"the creation/existence of documented requirements / SOP for CAPA"...?
"the device's safety and effectiveness"...? (at what point/stage?)

There is a lot to observe/clarify here.

It seems to me that the auditor mentioned above did not care too much about these issues and didn't go to the trouble of clarifying these aspects beyond any practical doubt. Therefore, it's the auditee's job to ask the auditor questions proactively, until they are certain what exactly the NC is about and what they need to do to eliminate it (and prevent recurrence, haha). I would have actually asked the auditor "If we do <X> and show you <Y>, would we be on the right path to closing this NC?"

A prime source of guidance on this issue is ISO 13485:2016 Practical Guide. Highly recommended.

 

[Tidge]

The auditor said specifically

"your firm failed to include requirements for validating the corrective and preventive actions(*1) to ensure that such action is effective and does not adversely affect the finished device. In addition, CAPA records reviewed during the inspection did not include verification or validation activities to demonstrate effectiveness.(*2)"

(*1) This reads to me as if the procedures themselves are silent on the need to have an effectiveness check for CAPA Action Items.

(*2) This reads to me as if the CAPA records themselves are incomplete and require remediation; the remediation ought to be commensurate with the procedural updates made to satisfy (*1). Remediating all of the past CAPA can be painful, but without revisiting them for verification of effectiveness the same finding is likely to be found on the next inspection.

It should go without saying: Responding to this observation should be its own Corrective Action, with multiple action items.

I believe the problem stemmed from the CAPA's being written in such a way that there was an assumption that if the stated action was completed then the action would be effective. The actions WERE effective, but there was lack of follow-through in documenting the proof.

I have no reason to disbelieve you. Unstated assumptions and ad hoc-ery are dangerous things when trying to demonstrate any sort of "system", especially a quality management system.

 

[mrsrobinson1110]

My take:

First, Verification and Validation are not the same. They are actually quite different, at least in my world. When someone instructs you to "verify something" or they instructs you to "validate something", referring to the exact same "something", the resulting course of action necessary to comply with such instruction can be significantly different. Further, when it's required to "verify or validate" that "thing", it's quite different from requiring to verify it; to validate it; or to verify and validate it - because "verify or validate" means you can choose either, and suffice with that only (which to me doesn't make too much sense - the person should know what exactly they require, and if they don't they should use words like "ensure")... In the regulatory field words to matter. A lot.

Second, it's critical to note what exactly we're required to verify or validate.
Is it:
"the CAPA"...?
"the CAPA activity"...?
"the CAPA effectiveness"...? (and does that relate to the non-recurrence of the NC, or to the elimination of the perceived root cause?)
"the creation/existence of documented requirements / SOP of CAPA"...?
"the device's safety and effectiveness"...? (at what point/stage?)

There is a lot to observe/clarify here.

It seems to me that the auditor mentioned above did not care too much about these issues and didn't go to the trouble of clarifying these aspects beyond any practical doubt. Therefore, it's the auditee's job to ask the auditor questions proactively, until they are certain what exactly the NC is about and what they need to do to eliminate it (and prevent recurrence, haha). I would have actually asked the auditor "If we do <X> and show you <Y>, would we be on the right path to closing this NC?"

A prime source of guidance on this issue is ISO 13485:2016 Practical Guide. Highly recommended.

Is that the Practical Field Guide for ISO 13485:2016 by Myhrberg and Raciti?