Quality systems and their allowance to be used is a contract with the public. It comes out of the trust paradigm we have with our health authorities and most importantly how our overall culture developed. Even if we have strayed from that culture, the intent of regulation and these rules are to bring us back to that social contract. The trust paradigm is that, the house gives you a line of credit of trust. You lose it all, you ain't getting more. You build on that trust with your blood, sweat and tears by building credibility and integrity, and the line of credit opens. But you have to be consistent. You can't hide shit. You let your record speak for itself. I speak of that both institutionally and personally. This does not mean you are not allowed to flex and make sure the business runs, but you must be able to stand on the basis of the regulation. Don't talk yourself into shit, just always be honest with yourself and others as to why you are doing what you are doing. If that reason is for a check, seriously, get the F out of the industry. You will thank me.
Personally, whatever you want to call that, "do no harm", "your word is your bond", whatever the hell you want to call it, if you are in any type of quality role, you are operating off this single premise: "If I/we find something wrong, it will be fixed so it does not happen again. Oh and by the way if we think it could happen we aren't going to wait for it to happen for us to fix it."
F'ing simple.
I could leave it there but then, why would you be reading this (grandiose of me to think anyone is reading this I know). But then you get people in the mix and they don't believe as you do because they [insert BS reason]. Let's start with some foundational things that we, as quality professionals, need to believe:
- No matter the size of the company, you don't get to devalue a regulation or de-regulate yourself
- If you are a service provider, the contracts you get into and what your customers pay you for DO NOT absolve you of the regulation. When in doubt, suck it up buttercup, you are fulfilling the regulation or you are not releasing that product or service. There is no memorandum that absolves you. Not even a little bit.
- The owners, shareholders, etc, they knew what they were getting to (or should have), they need to put the investment in for compliance. Period.
- Management is responsible. Your integrity is tied to theirs. I leave that to you to wrestle out the question on if management does not take their responsibility what that says about you if you stay.
In my scattered way of giving background on why I think what I think I tend to keep refining how I think (AHHH CONTINUOUS IMPROVEMENT). So all that to say is that as you review regulation, stance, vision, I would beg of you to always be ready to question the foundations of what you think by looking at why you think it. You may change some seriously cool things. If you can't do that, then I would like to recommend some other things like not being in management. If you are stuck, so are all your reports.
If you believe you are constantly right, and cannot be wrong, ask yourself if you are in the right mindset to be the decider for a risk analysis, investigation or CAPA.
Let's talk about how CAPA originate.
- Deviations
- Investigations/Stand Alone CA or PA (yes stand alone investigations better have CAPA; all CAPA have to be tied to a root cause analysis)
- Audit findings
- Stock Recovery/Recall
- Management Review
- Failures to meet corporate or site goals
Some of these are my thoughts, but I have a reason for this list.
Now that I have a list let's get into the process.
Just like root cause, you wait for all of the information prior to coming up with both the CA AND the PA.
If you go in with the CA or PA known, you should recuse yourself or self identify your bias to the team. Yes, even you who have 25+ years of experience. If you see that bias take hold of others out of authority, then you are not leading.
There are several users of CAPA and each level needs to know their functional role depending how the issue comes to them.
- Identification of the failure or potential failure point
- Determine the scope quickly in a triage
- Containment actions - Execute actions that keep the failure/potential failure from happening, this includes a clear communication plan
- Collect more information, and investigate
- Expand containment actions as needed, expand and look at other batches or processes where this could have similarly happened.
- Based on new information, interviews and constraints, re-baseline your initial assumptions.
- Identify all of the why's in your investigation; determine which are containment actions, push all corrective and preventive actions to the appropriate team/system owner.
- Reset and re-home any and all biases - this assumes you know your biases
- Execute a cost analysis of the issue and its likelihood to impact again
- Develop your corrective actions and at lease 1 preventive action. Don't just rely on retraining
- Evaluate the above against known risks, established severities, and trend this against occurrence rates; question if they hold. Identify if there were new risks identified. A corrective/preventive action could be to re-execute and re-baseline the FMEA for the process.
- Communicate to all stakeholders and management. Again, remove your bias, present evidence and scenarios. Establish the level of avoidance of the issue by thoroughly evaluating corrective/preventive actions for effectiveness.
- Choose and implement your CA/PA. If you remove any CA or PA for a particular reason, document the reason why in the record. You must give management the ability to do their job and document their decisions, good or bad.
- If capital is needed, escalate the issue including any cost analysis for avoidance.
- Log all CAPA into your system and track with realistic dates.
- All CAPA should have an implementation plan.
- Execute and monitor. Resources should be monitored and managed. Ensure you are following your processes and make sure stakeholders are involved. In the end QA is responsible for oversight.
- Effectiveness of the CAPA needs to be measured objectively. Effectiveness checks should be executed after obtaining enough data and held against pre-established criteria. Otherwise they are justified as to why it is compliant to close and that the corrections have objective evidence to demonstrate effectiveness (e.g. removal of the risk).
Common issues in CAPA systems
- Not enough capital or management buy in
- A system owner with an agenda
- Resistance to change
- Lack of understanding of persistence of the issue and the potential consequences (unrealized/near misses).
- Belief that people are a sustainable prevention system
- Lack of understanding that systems degrade and changes to peripheral systems may have unintended consequences.
I can expand on each of these but at this point I think I have said enough. More later.