What are the FDA's requirements for CAPA (Corrective and Preventive Action)

Having a repeatable procedure for Corrective and Preventive Action (CAPA) is a key FDA requirement for medical device developers. Here’s what you need to know about these regulatory demands.

The need for CAPA procedures to form part of your QMS is written into the FDA QSR regulation, CFR Part 820. But it’s a requirement that many developers fail to deliver on.

In fact, one of the most common reasons for receiving an FDA 483 warning letter (a notice to highlight regulatory violations found during an inspection) is ‘inadequate Corrective and Preventive Action’ procedures.

So, what does the FDA require from your CAPA process and why do device developers so often get it wrong?

What does the FDA say about CAPA?

The FDA expects organisations to have a CAPA system that not only fixes immediate problems but also proactively addresses its root causes to prevent similar issues from happening again. This is achieved through a structured process that involves analysis, investigation, action, validation, and continuous monitoring, with all activities thoroughly documented and communicated throughout the organisation.

The FDA’s objectives and requirements for a CAPA system are listed in the FDA 21 CFR Part 820.100 and FDA Guide to Inspections of Quality Systems:

"The purpose of the corrective and preventive action subsystem is to collect information, analyze information, identify and investigate product and quality problems, and take appropriate and effective corrective and/or preventive action to prevent their recurrence.”

Requirements for a compliant CAPA process include:

• Data collection and trend analysis
• Investigating the cause of the non-conformities
• Identifying the actions needed to correct and prevent recurrence
• Verifying/validating the corrective and preventive action
• Implementing and recording changes in methods and procedures
• Ensuring information is shared with the right stakeholders
• Submitting relevant information for management review
• Assessing and prioritising issues based on risk

• Documenting all the above activities.

It’s also worth noting that it’s not just your own internal non-conformances that your CAPA process should be addressing. The FDA requires you to develop procedures for handling CAPAs related to supplier quality issues, too. These should include how you communicate with suppliers, track their corrective actions, and verify their effectiveness.

Are you capable of meeting these CAPA demands?

1. Are you collecting and analysing information? 

FDA guidelines state that you should have both reactive and proactive processes in place to trigger CAPA procedures when required.

Some of the internal and external inputs for initiating your CAPA process include:

As well as having a process for capturing and dealing with complaints and feedback from product users, you should also have procedures in place to routinely check for potential non-conformities in the way you work.

QSR 820 says developers should be:

“Analyzing processes, work operations, concessions, quality audit reports, quality records, service records, complaints, returned product, and other sources of quality data to identify existing and potential causes of nonconforming product, or other quality problems. Appropriate statistical methodology shall be employed where necessary to detect recurring quality problems”

The regulation requires you to conduct trend analysis, to help identify recurring or systemic issues that might not be apparent when looking at individual incidents. You should be using analytics to reveal patterns that require broader corrective actions or preventive measures.

2. Are you investigating effectively?

Once a non-conformity has been identified and logged, you must evaluate whether it is a systemic issue.  If it is found to be a systemic problem then the CAPA investigation process should be triggered.

Once a non-conformity has been identified and logged, you must evaluate whether it is a systemic issue.

If it is found to be a systemic problem then the CAPA investigation process should be triggered.

The purpose of the investigation is to understand the root cause of the non-conformity, In other words why did the issue happen? Don’t confuse the symptoms of the problem with the cause. You need to keep digging to see what lies behind each identified failure.

Every CAPA investigation needs

• A clear objective
• A risk assessment to prioritise action on the issue
• A repeatable and documented procedure to be followed
• A cross-functional team who will contribute to the investigation

The investigation should result in a report or record that documents your findings, including:

• A full description of the nonconformity event
• A root or probable cause for the nonconformity event
• Objective evidence to support conclusions
• Description of statistical methods used
• Final risk assessment to determine next steps

3. Can you identify actions to correct and prevent reoccurrence?

According to the FDA, the failure to take and document preventive action is an area where many organisations fall down. It is reportedly the 4th most common cause for a 483 warning letter to be sent.

This is the whole point of the CAPA process. Based on the investigation and evidence, you need to document the corrective steps that need to be taken to resolve the issue - and then what steps will need to be taken to prevent it from recurring.

It's crucial to set clear timelines and deadlines for implementing these actions. The FDA expects timely resolution of quality issues, so your CAPA process should include mechanisms for setting and tracking these deadlines.

Documentation should also include clear closure criteria for each CAPA, specifying when it can be considered resolved.

4. Are you verifying/validating corrective and preventive actions?

Your CAPA responsibilities do not end when required corrective actions are identified and implemented within your system.

You need to have the tools to verify and validate that they are working. This includes conducting effectiveness checks after implementation to ensure the issue has been fully resolved. In implementing new processes and procedures, you may even have introduced new problems that could result in fresh issues!

How does your QMS trigger and control validation activity and effectiveness checks following changes? Without the tools to automate and remind the business of the need to do this, these vital checks can end up being neglected.

5. Are you implementing and recording changes in procedures?

SOPs and other quality documentation need to be fully updated to reflect any changes in the way you work following a CAPA investigation.

Your CAPA process should include steps for identifying who needs to be trained in these new procedures and how this training will be delivered and documented.

Make sure you have the automated change control procedures in place to trigger these actions. 

6. Are you sharing this information effectively? 

Your QMS should be the single source of truth for the entire organisation around your quality managent practice. But even if you dutifully update and republish SOPs documentation to alert workers to required changes in their process, this may not always successfully change behaviour.

Selecting a graphical Quality Management System (gQMS) that visually represents Standard Operating Procedures (SOPs) and their dependencies using flowcharts and diagrams can help employees quickly understand and adapt to changes.

This high-level visual approach enhances engagement with the system and makes it easier to follow process. For example, hyperlinks embedded the process flow chart in the Cognidox platform, link directly to the relevant files stored in the Document Management System (eDMS).

Your eQMS should also be able to alert and notify specific users when contents relevant to them are updated. There’s no point making a change if no one knows they have been made, or where to review them.

Remember, a CAPA system should not operate in isolation. It should be integrated with other quality management subsystems like change control, complaint handling, and audit management. This integration helps ensure a holistic approach to quality management that the FDA requires.

7. Are you submitting relevant information for management review?

Does your eQMS help management routinely monitor progress against plans, as well as effectiveness metrics and outcomes?

Do you have the systems in place to formally share details of CAPA investigations and recommended changes with senior management?

The FDA need to see evidence of how they are alerted and kept apprised of developments.

Have you developed and tracked metrics that measure the effectiveness of your CAPA system? These might include metrics like CAPA closure rates, recurrence rates, or time to implement corrective actions.

8. Are you documenting all your activity?

Every step of your CAPA process should be documented in real time and be readily available for audit. The FDA requires you to keep detailed records of CAPA investigations to ensure transparency and traceability in all your quality management decision-making.

You should also establish clear retention policies for CAPA records that meet both FDA regulations and your organisation’s internal quality standards, ensuring that these documents are accessible whenever needed.

Conclusion

To be really effective, the importance of CAPA needs to be established at a cultural level across your organisation. When you are developing your QMS you should be looking for digital tools that allow you to embed and automate CAPA processes so they become the ‘way you work’.

If you need to improve the quality of your CAPA process and record keeping you should start with reading our blog about implementing the 7 steps of CAPA management. You can also use many of the templates and resources on this site to start building an FDA compliant eQMS that is fit for purpose.

Blog post updated on 10/10/2024