What Happens When Your Medical Device has an Issue - The CAPA Process

Corrective and Preventive Actions (CAPA) are how you fix issues that have been identified with your medical device. Think of it as a formal way of documenting your problem fixing process. 

What triggers a CAPA? Issues may come from adverse events, nonconformities, audits, customer complaints, a defective component, or if your device is simply not working the way it should. 

General steps involved in CAPA:

1. Identify and Investigate the Problem
2. Plan Your Fix
3. Implement Your Fix
4. Monitoring, Reporting, & Reviewing
5. Be Ready for Audits

Don’t worry, we’ll explain what all of these mean below.

What Should Really Cause a CAPA?

CAPAs are initiated by you, at your discretion. Auditors seem to be comforted when they see you handling any issues with CAPAs. However, you should initiate a CAPA only when it is absolutely needed because the process to close one once you have started can take a while and requires a decent amount of paperwork.

So when is the right time to start up the CAPA process? 

If you answer yes to any of these questions about an issue that arises, you should probably initiate a CAPA. 

• Is the issue a critical safety concern for your device?
• Does it significantly impact product performance or usability?
• Is it a recurring problem or part of a larger systemic pattern of issues?
• Could the issue affect your compliance with the MDR, FDA regulations, ISO standards, or other industry requirements needed for your device? (aka does it change your device classification, alter your GDPR compliance, etc.)
• Is the issue related to broader problems in your quality management system, including procedures or training?

Initiating CAPAs on every little thing, affectionately called being “CAPA Happy” by quality and regulatory folks, can slow you down and reduce the effectiveness of the process over time. If you are setting up your CAPA process for the first time, make sure to initiate CAPAs for serious issues or things that auditors want you to change.

You can always adjust your process to include more product or company issues that merit a more substantial process for remedy. 

Besides, CAPAs are meant to address systemic or severe problems that have appeared more than once, so one adverse event or complaint isn’t necessarily sufficient to trigger one unless it is severe. 

If you’re still unsure whether the issue should be addressed with a CAPA, consult with your teammates from other departments or experts like those at Formly to see what they think. Creating a checklist to use whenever you’re considering whether to start a CAPA is usually very helpful.

Trust the Process - How CAPAs Work

Now that we’ve identified what causes a CAPA, what should you do when you identify one?

The CAPA process actually helps to guide you through the problem in a comprehensive way. This keeps your device compliant and performing as it should. CAPAs are meant to help you identify and fix problems BEFORE they become major issues. 

Guidance for the CAPA process in the EU comes from ISO 13485, with additional reporting requirements set out in Article 89. 

You can find FDA guidance on their CAPA page. 

Here’s a general rundown of the process for both the EU and FDA. 

Step 1: Identify and Investigate the Problem 

First, you need to find out what went wrong. This is often the hardest part. 

You may have discovered this problem due to a customer complaint, internal audit, or maybe you just noticed it when going over procedural documents. Your first move should be to investigate it using the data you have available to you. 

Review any internal data like customer complaints, process control data, internal audits reports, or procedures that were relevant to the issue. External data is also fair game. You can check out sources like vigilance databases (swissmedic, bfarm, etc.) for adverse events reported or service/repair records for your product.

You want to figure out the root cause of the issue so that when you fix it, it won’t come up again. There are a few ways to do this and we describe them below. This is called performing a root cause analysis. 

• The 5 Whys Method
  • The diagram helps you visualize the relationship between problems and their potential causes. This is particularly useful when you believe the problem stems from a quality, manufacturing, or development process or need to determine where the problem came from in the chain of manufacturing. 
  • It can be useful to sort causes –when it’s a manufacturing problem– into categories like: man, machine, method, measurement, and environment, so you can see where the problem lies. 
  • Here’s what a 5 whys diagram can look like: 

• Fault Tree Analysis
  • Use this when you believe that the problem has multiple causes. This can break down the causes by level and visually display how complex problems can combine to result in a singular outcome. 
  • Here’s what a fault tree may look like: 

• Statistical Process Control
  • Use this if the problem is part of a larger trend, indicating a significant systemic problem. 
  • The graph can help you monitor if a process is stable or in control over time. This can reveal trends, shifts, or significant variations. This is especially useful if your process is measurable and you have specific process control limits for the problem you’re experiencing. 
  • Here’s what a statistical process control graph may look like:

• Failure Modes and Effects Analysis (FMEA)
  • An FMEA forces you to review all components, assemblies, and subsystems to identify any failures and their potential causes and effects. You can use an FMEA to generate a score for the risk you get from each failure mode
  • For this, the general steps are as follows:
    • Define the scope of the investigation. Are you covering a specific process, subsystem, or the entire system?
    • Break down the steps into individual processes or components. 
    • For each process step, identify all possible ways it can fail and the possible effects of each failure, considering the impact on the customer or user. Rate the severity 1-10. 
    • Rate the likelihood of each event from 1-10. 
    • For each failure, look at what checks you have in place to prevent it from occurring. That will allow you to rate each event from 1-10 for its detectability. How easy is it for you to know something went wrong before it reaches the customer?
    • Multiply the Severity x Likelihood x Detectability to determine the risk priority. The higher the number, the higher the priority. 

There are a lot of options, for those just starting with their CAPA process we usually recommend using the 5 Whys as it tends to be the easiest concept to grasp for newbies. 

EU MDR: For Serious Safety Issues, Talk with Your Notified Body

When you identify a severe problem in the EU, you must report it to your notified body and the competent authorities of the Member States where the problem occurred ASAP. An example report from BfArM is here.

As a refresher, the notified body is responsible for CE marking your device and they are who you do your audit with to receive your CE certificate (if you are above a Class I device). As for competent authorities, there is one in each country in the EU and they are primarily responsible for overseeing medical devices and safety events in their country and can enforce recalls and things like that. You can usually think of it as your notified body is your CE mark and your competent authority is your public safety authority.  

The report you give them should include detailed information about the incident, the devices involved, and a comprehensive risk assessment. Your notified body will review your incident report to ensure compliance with reporting requirements and help you determine if further action is needed.

FDA: Investigate and Assess Internally

On the FDA side of things, most of the process is completed in-house and then validated through inspections. Since you are in charge of initiating CAPAs, you want to be sure that you’re only performing them when needed, but not overlooking any major, systematic, or potentially dangerous issues. 

If you fail to initiate a CAPA when one is needed and the FDA identifies one through inspection, you can receive a 483 notice or, if the situation escalates, a warning letter. You must respond to either of these notices within 15 days of receipt. If initiated by the FDA, these notices and their subsequent actions (like retraining, writing new procedures, redesigning your product, etc) can be costly and subject you to higher levels of scrutiny.  

If a customer complaint is what triggers the CAPA, the FDA will be aware of it from the start because it must be reported through the Medical Device Reporting System. 

Step 2: Plan Your Fix

You need to create a plan to fix the CAPA. This plan should eliminate the root cause that you identified in the first step. Make sure the actions are proportionate to the problem—bigger issues need bigger fixes.

Look for ways to prevent the problem from happening again. This might mean changing your processes, adding new checks/detection methods, or improving training.

EU MDR: For Serious Incidents - Field Safety Corrective Actions

For serious incidents, you will need Field Safety Corrective Actions (FSCA) in order to remedy it if there is a chance for it to happen again. These can take the form of recalls, modifications, notifications to users, or other corrective measures to reduce or eliminate the risks.

Your notified body will evaluate your proposal with the competent authority to ensure it is effective in addressing the issue. These regulatory bodies will work together to determine the severity of the risk the problem poses to your customer base and assign deadlines for corrective actions. If they feel the report doesn’t properly address the issue, they may request modifications or more information.

Step 3: Implement Your Fix

Next, you’ll implement the corrective actions to fix the problem. This may include actions like product recalls, changing manufacturing processes, sending notifications to users, implementing team training, or modifying the device design or labeling. 

Make sure all of your changes are documented and you update any processes to include the changes you made. This keeps everybody on the same page and makes audits easier down the line. 

EU MDR: Notified Body Oversight & Field Safety Notices

Specifically for serious safety incidents that require an FSCA, your notified body will monitor the fix-implementation process to ensure compliance with the plan and regulatory requirements. They may conduct audits and inspections to verify the effectiveness of the corrective actions. 

EU member states like to ensure that consumers are informed about any problems or fixes related to devices they use, so if you have a FSCA you will likely have to draft a Field Safety Notice (FSN). In the notice, you explain the reasons for the FSCA, any risk involved, and the actions users need to take. Your notified body reviews it to ensure it is accurate and comprehensive and the competent authority gets the final say for approval. 

Step 4: Monitoring, Reporting, & Reviewing 

After your plans are implemented, you will continue to monitor the situation to ensure that the corrective actions are effective and that they will prevent any further incidents. This should become part of your post-market surveillance system.

At a larger company, you may not be involved in the CAPA process from the beginning except to review or validate the actions. Whoever performs the changes will communicate the results of the CAPA activities to those responsible for the quality of the product, which is usually management.

Usually, you will issue a final report on the CAPA and determine if the CAPA is “closed” which means the fix has been implemented and you verified that it worked. The final report should be saved internally for your reference. Additionally, most companies have a list of their CAPAs where they update which ones are open or closed. This should also be updated once a CAPA is closed. You should establish clear criteria for closing a CAPA, ensuring that all actions have been completed and verified as being successful. 

You can find a free CAPA checklist here that helps you get through the process without missing any steps so that you can close them out without a problem.

Review and audit CAPA records regularly to verify that CAPAs have been resolved to your satisfaction (and that of regulatory bodies). This also prepares your organization for any external audits and inspections by the FDA or your Notified Body.

EU MDR: Final Report

For most CAPAs, you’ll outline their closing details in your normal post-market surveillance reports like the periodic safety update report or post-market surveillance reports (another link to our other blog to explain these more).  

For serious safety incidents that require an FSCA, you’ll submit a final report detailing the actions taken and the outcomes to the competent authority and the notified body. This report includes an assessment of the FSCA’s effectiveness. You can find info on the reporting process for BfArM as an example here and a link to the reports to file, including the final report, here.

Step 5: Be Ready for Audits

Your notified body or the FDA may also conduct follow-up audits as part of this monitoring process. This can be for one of two reasons:

• Routine Inspections: These are company audits that are planned out in advance as a normal part of maintaining your CE mark. During routine inspections, inspectors review CAPA documentation to see your open and closed CAPAs and ensure your processes are working correctly. This includes examining how the CAPA was initiated, investigated, and implemented and if the problem has been effectively solved. 
• For-Cause Inspections: If there are specific concerns or complaints, regulatory bodies may conduct for-cause inspections, where CAPA records will be scrutinized to assess the manufacturer’s response to identified issues. This is usually only done when the problem exposes consumers to significant injury or danger.
  

These audits are exactly why keeping meticulous documentation throughout the process is super important. You’re required to maintain the documentation for the lifetime of your device because if a similar problem ever crops up again, they’ll want to see what didn’t work last time and why. 

Best Practices for Managing a CAPA

Prevention is the best approach for CAPAs as they can be costly and time-consuming. It’s best to establish a robust post-market surveillance system so you can detect issues early before they become a problem. Build procedures that cover:

• What issues and information can lead to a CAPA
• Clear criteria for determining if a CAPA should be initiated and a root cause determined
• Clear criteria on what constitutes a severe incident that needs to be reported to competent authorities and notified bodies
• Timelines for reporting and templates for reports that need to be submitted 

Train all relevant staff on these procedures and make them available so regulatory bodies can review them during audits. Don’t forget to update the procedures regularly based on new regulations and have a system in place for documenting and accessing the data. 

If you end up with a CAPA, here are some best practices so you can get through the process with minimal headache. 

Conclusion

To wrap things up, the CAPA process is essential for keeping our products safe and meeting regulatory standards. Just like fixing a car, maintenance is the name of the game. If you're running a startup, setting up strong CAPA procedures early on will help you with any issues you may encounter when you make it on the market. 

A proactive approach to Quality Management (QM) and Post Market Surveillance (PMS) can help you catch and fix issues before they become big problems. Invest in good training, use data analytics, and build a culture of continuous improvement. This will not only protect you from potential pitfalls but also show your commitment to quality and compliance that auditors will come to appreciate during any audits. By doing this, you'll set your startup up for long-term success.