Slide 1 of 28

Creating a Risk-Based
CAPA Process
ISO 13485,
ISO
Clause 8.5.2 /
14971
8.5.3

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 2 of 28

Inputs to the CAPA Process

CAPA is the heart of a Quality Management System
(QMS) and indicates how effective the QMS is:
NCMR’s
VOC Surveys
Complaints
Internal Audits

Mngt. Review

Effectiveness  CAPA’s

MAUDE

Clinicals Service

Validation Risk Analysis

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 3 of 28

Where is risk as in Input?

NCMR’s
VOC Surveys
Complaints
Internal Audits

Mngt. Review

Effectiveness  CAPA’s

MAUDE

Clinicals Service

Validation Risk Analysis

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 4 of 28

Why Risk-Based?
• 21 CFR 820 – 1 instance of the word “risk”
• ISO 9001:2008 – 3 instances of the word “risk”
• ISO 9001:2015 – 43 instances of the word “risk”
• ISO 13485:2003 – 4 instances of the word “risk”
• ISO 13485:2015 – 47 instances of the word “risk”

“13485 Plus” is a guidance document that was published

by the Canadian Standards Association in February 2006.
I have been recommending it over all other guidance
documents for quality system implementation since
2010. It mentions the word “risk” 60 times.
http://bit.ly/13485Plus Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 5 of 28

14971 Plus - http://bit.ly/ShopCSA

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 6 of 28

14971 Plus =
Standard + Gap + Bonus Tools

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 7 of 28

Bonus Tools in 14971 Plus

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 8 of 28

Risk Management is a Process

4 – Risk Analysis
Risk
Assessment
5 – Risk Evaluation

6 – Risk Control
Risk
7 – Residual Risk Management
Acceptability

8 – Risk Management
Report

9 – Production &
Post-production Info
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 9 of 28

Risk is Filter & Prioritization Tool

“Death by CAPA”
We use a risk- We always
based approach initiate a CAPA
Quality
Issues

Risk
Analysis

Trend Quality
Analysis Plan
Formal
Rob Packard, President
CAPA www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 10 of 28

Mitigation vs. Control

• In the 2007 version of ISO 14971, the term
“mitigation” was removed.

• Mitigation implies elimination of risks, while

control implies reducing and monitoring risks.

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 11 of 28

Corrective Action (ISO 9001:2015)

• Clause 10.2 – Nonconformity & Corrective Action
– 10.2.1 When a nonconformity occurs, including those arising from complaints, the
organization shall:
a) react to the nonconformity, and as applicable:
1. take action to control and correct it;
2. deal with the consequences;
b) evaluate the need for action to eliminate the cause(s) of the nonconformity, in order that it
does not recur or occur elsewhere, by:
1. reviewing the nonconformity;
2. determining the causes of the nonconformity;
3. determining if similar nonconformities exist, or could potentially occur;
c) implement any action needed;
d) review the effectiveness of any corrective action taken;
e) make changes to the quality management system, if necessary.
Corrective actions shall be appropriate to the effects of the nonconformities encountered.
NOTE 1 In some instances, it can be impossible to eliminate the cause of a nonconformity.
NOTE 2 Corrective action can reduce the likelihood of recurrence to an acceptable level.
– 10.2.2 The organization shall retain documented information as evidence of:
a) the nature of the nonconformities and any subsequent actions taken;
b) the results of any corrective action.
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 12 of 28

Definition of Risk in ISO 9001

• ISO 9001:2015, Clause 3.09 [Source: ISO DIS 9000:2014, 3.7.4] - effect
of uncertainty on an expected result
– Note 1 to entry: An effect is a deviation from the expected — positive or
negative
– Note 2 to entry: Uncertainty is the state, even partial, of deficiency of
information (3.50) related to, understanding or knowledge (3.53) of, an
event, its consequence, or likelihood.
– Note 3 to entry: Risk is often characterized by reference to potential
“events” (as defined in ISO Guide 73:209, 3.5.1.3) and “consequences” (as
defined in ISO Guide 73:2009, 3.6.1.3), or a combination of these.
– Note 4 to entry: Risk is often expressed in terms of a combination of the
consequences of an event (including changes in circumstances) and the
associated “likelihood” (as defined in ISO Guide 73:2009, 3.6.1.1) of
occurrence.
– Note 5 to entry: The term “risk” is sometimes used when there is only the
possibility of negative consequences

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 13 of 28

Preventive Actions in ISO 9001:2015

Annex A.4 – Risk-based Approach
“One of the key purposes of a quality management
system is to act as a preventive tool. Consequently,
this International Standard does not have a
separate clause or sub-clause titled 'Preventive
action’. The concept of preventive action is
expressed through a risk-based approach to
formulating quality management system
requirements.”
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 14 of 28

Corrective Action (ISO 13485:2015)

Clause 8.5.2 – The organization shall take action to eliminate the cause of
nonconformities in to prevent recurrence. Corrective actions shall be appropriate
to the effects of the nonconformities encountered. The organization shall
document a procedure to define requirements for:
a) reviewing nonconformities (including complaints);
b) determining the causes of nonconformities;
c) evaluating the need for action to ensure that nonconformities do not recur;
d) planning and documenting action needed and implementing such action in
a timely manner, including, as appropriate, updating documentation;
e) verifying that the corrective action does not adversely affect the ability to
meet applicable regulatory requirements or the safety and performance of
the medical device; and
f) reviewing the effectiveness of corrective action taken.
Records of the results of any investigation and action taken shall be maintained
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 15 of 28

Preventive Action (ISO 13485:2015)

Clause 8.5.3 – The organization shall determine action to eliminate the causes of
potential nonconformities in order to prevent their occurrence. Preventive
actions shall be appropriate to the effects of the potential problems. The
organization shall document a procedure to describe requirements for:
a) determining potential nonconformities and their causes,
b) evaluating the need for action to prevent occurrence of nonconformities,
c) planning and documenting action needed, and implementing such action in a
timely manner, including, as appropriate, updating documentation,
d) verifying that the action does not adversely affect the ability to meet
applicable regulatory requirements or the safety and performance of
products, and
e) reviewing the effectiveness of the preventive action taken, as appropriate.
Records of the results of any investigations and of action taken shall be
maintained
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 16 of 28

21 CFR 820.100
a) Each manufacturer shall establish and maintain procedures for implementing corrective and preventive
action. The procedures shall include requirements for:
1) Analyzing processes, work operations, concessions, quality audit reports, quality records, service
records, complaints, returned product, and other sources of quality data to identify existing and
potential causes of nonconforming product, or other quality problems. Appropriate statistical
methodology shall be employed where necessary to detect recurring quality problems;
2) Investigating the cause of nonconformities relating to product, processes, and the quality system;
3) Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and
other quality problems;
4) Verifying or validating the corrective and preventive action to ensure that such action is effective
and does not adversely affect the finished device;
5) Implementing and recording changes in methods and procedures needed to correct and prevent
identified quality problems;
6) Ensuring that information related to quality problems or nonconforming product is disseminated
to those directly responsible for assuring the quality of such product or the prevention of such
problems; and
7) Submitting relevant information on identified quality problems, as well as corrective and
preventive actions, for management review.
b) All activities required under this section, and their results, shall be documented.
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 17 of 28

Containment & Correction

• 21 CFR 820.90 – Control of Nonconforming
Product (new language in ISO 13485:2015,
Clause 8.3)

• 21 CFR 806 – Recalls/Corrections & Removals

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 18 of 28

Risk Controls
• Inspection – 21 CFR 820.80

• Process Validation – 21 CFR 820.75

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 19 of 28

21 CFR 820.250
Statistical Techniques
a) Where appropriate, each manufacturer shall establish
and maintain procedures for identifying valid statistical
techniques required for establishing, controlling, and
verifying the acceptability of process capability and
product characteristics.
b) Sampling plans, when used, shall be written and based
on a valid statistical rationale. Each manufacturer shall
establish and maintain procedures to ensure that
sampling methods are adequate for their intended use
and to ensure that when changes occur the sampling
plans are reviewed. These activities shall be
documented.
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 20 of 28

Definition of Risk in ISO 13485

• ISO 13485:2015, Clause 3.14 [Source: ISO
14971:2007, definition 2.16] – combination of
the probability of occurrence of harm and the
severity of that harm

P1 & P2 from Annex E of ISO 14971:2007

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 21 of 28

Hazard vs. Harm

• ISO 14971, Clause 2.3 – Hazard is a “potential
source of harm”
[ISO/IEC Guide 51:1999, definition 3.5]

• ISO 14971, Clause 2.2 – Harm is a “physical

injury or damage to the health of people, or
damage to property or the environment”
[ISO/IEC Guide 51:1999, definition 3.3]

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 22 of 28

CAPA & Risk Management Tasks

Hazard
Identification

Risk Risk Control

Risk Management Effectiveness Verification
Assessment Plan

Risk CAPA Root Cause Corrective Effectiveness

Implementation
Analysis Initiation Analysis Action Plan Verification

CAPA CAPA
Opened Closed

Risk Control
Rob Packard, President
Option Analysis www.MedicalDeviceAcademy.com
22
rob@13485cert.com
 Slide 23 of 28

Process Types & Risk Controls

• Manual Processes • 100% Inspection
• Semi-Automated • Sampling Plans
Processes • Automated Inspection
• Automated Processes • Process Validation
• Batch Processes

Trend Analysis & Statistical Techniques

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 24 of 28

Quality Management System Planning

ISO 13485:2015, Clause 5.4.2
Top management shall ensure that:
a) the planning of the quality management system is carried
out in order to meet the requirements given in 4.1, as well as
the quality objectives, and
b) the integrity of the quality management system is
maintained when changes to the quality management
system are planned and implemented.

NOTE: Quality management system planning normally includes

identification and implementation of action items that are
intended to accomplish quality objectives, monitoring the
progress toward completion of action items, and revision to the
planning based on monitoring.
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 25 of 28

Change Management Advice

• Training Plan – Competency (ISO 13485:2015,
Clause 6.2.2b)

• Monitoring & Measurement Plan

– ISO 13485:2015, Clause 8.2.2 – Internal Audit
– ISO 13485:2015, Clause 8.2.3 – Monitoring &
Measurement of Processes

• Update your Master Validation Plan &

Revalidation Requirements
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com

Other Training Webinars
How to Improve Your CAPA Process
http://medicaldeviceacademy.com/5-
ways-improve-capa-process/
Slide 26 of 28
http://medicaldeviceacademy.com/imple
menting-risk-management-process-
compliant-iso-149712007-address-seven-
deviations-identified-en-iso-149712012/
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 27 of 28

Q&A

rob@13485cert.com
Rob Packard, President
www.MedicalDeviceAcademy.com
rob@13485cert.com
 Slide 28 of 28

Do You Need Help Updating Your

Quality System to ISO 13485:2015?
rob13485

rob@13485cert.com

+1.802.281.4381
Rob Packard

Rob Packard, President

www.MedicalDeviceAcademy.com
rob@13485cert.com