AS-4 DiMaria John-BSI CAPA to RMTitle Microsoft PowerPoint - AS-4 DiMaria John-BSI CAPA to RM.pptx Author Patti Created Date 2/19/2015 2:49:21 PM

Copyright © 2015 BSI. All rights reserved.

From CAPA to Risk Management and Resilience

February 19, 2015

John DiMaria; CSSBB, HISP+, MHISP, AMBCIISO Product Manager

British Standards Institution

2Copyright © 2015 BSI. All rights reserved. February 19, 2015

Agenda

• A Look Back into History• Beginning of CAPA• Corrective/Preventive Comparison

• Risk Management and Resilience• Risk-Based Thinking• The Risk Assessment Process• How Risk Management Drives Preventive Action and Continual Improvement


Corrective and Preventive Action

February 19, 2015

4Copyright © 2015 BSI. All rights reserved.

Background

Walter Shewhart

February 19, 2015

W. Edwards Deming


CAPA Process

• Characterize – Identify the problem & assemble the right team• Investigate – Research the problem and identify Root Cause• Analyze – Perform a thorough assessment• Action Plan – create a list of required tasks• Implementation – Long term permanent action• Follow Up – Verify and assess the effectiveness

February 19, 2015

6Copyright © 2015 BSI. All rights reserved. 6

Source: 1-10-100 Rule; Total Quality Management, Joel E.Ross

The rule explains how failure to take notice of one cost escalates the loss in terms of dollars.

Corrective Actions

•The process of reacting to an existing problem, customer complaint or other nonconformity and fixing it.

•Corrective action eliminates the cause of nonconformities to prevent recurrence – ISO 9001

February 19, 2015


Preventive Actions

A preventive action is a process for predictingpotential problems or nonconformances and eliminating them. The process includes:• Identify the potential problem or nonconformance • Risk assessment• Develop a plan to prevent the occurrence• Implement the plan• Review the actions taken and the effectiveness in preventing the problem

February 19, 2015


Why CAPA?

• Regulatory Requirements•Regulatory bodies such as FDA, EPA and virtually every ISO standard requires an active CAPA program as an essential element of a management system.

• Customer Satisfaction• The ability to correct existing problems or implement controls to prevent potential problems is essential for continued customer satisfaction

• Good Business Practice• Quality problems can have a significant financial impact on a company


CAPA Procedures

•Properly documented actions provide important historical data for a continual improvement plan and are essential for any product that must meet regulatory and ISO requirements.

February 19, 2015


What is a nonconformance?

• A nonconformance may be defined as “the failure to comply with some specified standard or criteria.”

• 3.6.2• nonconformity• non-fulfillment of a requirement (3.1.2) ~ ISO 9000 ~

February 19, 2015


When do I raise a CAPA

You define:

• Those events that are systemic issues and pose a potential adverse impact on the business• Any event that deviates from expected performance•When planned results are not achieved, correction and corrective action shall be taken, as appropriate ~ ISO 9001 8.2.3 Monitoring ~

Use Risk to Ensure Effectiveness

February 19, 2015


Not Everything Needs to be a CAPA

• If everything is a CAPA project you instill the “Sky is Falling” syndrome


Characterize the problem & assemble the right team

• The initial step in the process is to clearly define the problem or potential problem.• This should include:• The source of the information and data• A detailed description of the problem• Any documentation of the available evidence that a problem exists.

February 19, 2015


A detailed description of the problem

•A description of the problem is written, concise and complete •The description must contain enough information so that the specific problem can be easily understood and data is easily translated

February 19, 2015


Key Terms and Definitions

• Symptom - A quantifiable event or effect experienced by customers that indicates the existence of a problem

• Containment - An action that prevents symptoms from being experienced by the customer

• Emergency Response Action ERA - An action taken to isolate customers from symptoms

• Interim Containment Action - Action taken to protect the customer once a complete problem description is available

• Potential Cause - Any cause that describes how an effect may have occurred

• Verified Cause - A Potential Cause verified by data that explains the problem description

February 19, 2015


Root Cause

•Root Cause is the fundamental breakdown or failure of a process which, when resolved, prevents a recurrence of the problem

Or, in other words:• For a particular product problem, Root Cause is the factor that, when you fix it, the problem goes away and doesn’t come back• Root Cause Analysis is a systematic approach to get to the true root causes of our process problems

February 19, 2015


A Good Investigative Process

• Follow a defined investigation strategy• Assignment of responsibility and required resources – Owner• You need a complete review of all circumstances that could have contributed to the problem:


Closing the Loop

• Root cause• Secondary situations• Prevention• Side effects• Monitoring


From CAPA to Risk Management and Resilience

February 19, 2015


What is Business Continuity

February 19, 2015

Business continuity is the capability of an organization to continue delivery of products or services at acceptable predefined levels

following a disruptive incident(ISO 22301 – Societal security – Terminology)


What is Resilience

February 19, 2015

Ability to recover readily from adversity or incidents that threaten profitability and

existence or the like; buoyancy.“Business continuity contributes to a more resilient society” – ISO 22301


Preventive Actions

Annex SL Directive 1

“Actions to address risks and opportunities”

Risk Based Thinking

February 19, 2015


Preventive Actions

Business dictionary: Preventive ActionAn action taken to reduce or eliminate the probability of specific undesirable events from happening in the future. Preventative actions are generally less costly than mitigating the effects of negative events after they occur, but may also be seen as a waste of resources if the predicted event does not take place. Risk analysis and assessment techniques are used to calculate the probability of specific negative events, in order to determine the cost-effectiveness of potential preventative actions.

February 19, 2015


“FDA agrees that the degree of corrective and preventive action taken to eliminate or minimize actual or potential nonconformities must be appropriate to the magnitude of the problem and commensurate with the risks encountered…FDA does expect the manufacturer to develop procedures for assessing the risk, the actions that need to be taken for different levels of risk, and how to correct or prevent the problem from recurring, depending on that risk assessment.”

61 Fed. Reg. at 52633-52634

Federal Regulations


“FDA agrees that the degree of corrective and preventive action taken to eliminate or minimize actual or potential nonconformities must be appropriate to the magnitude of the problem and commensurate with the risks encountered…FDA does expect the manufacturer to develop procedures for assessing the risk, the actions that need to be taken for different levels of risk, and how to correct or prevent the problem from recurring, depending on that risk assessment.”

61 Fed. Reg. at 52633-52634

February 19, 2015

Risk Assessment

Risk 1

Risk 2

Risk 3

0

1

2

3

4

5

6

7

8

9

10

0 1 2 3 4 5 6 7 8 9 10

Insi

gnifi

cant

C

onse

quen

ce

Cr

itica

l

Probability




• Threat (or potential failure)

• Vulnerability

• Impact

• Mitigating Controls

• Controls Implemented

• Owner

Basic Steps in Risk Assessment


• Likelihood

• Detection

• Risk Priority Number (RPN)

Additional Steps in Risk Assessment



Sample Task List


Action Plan and Implementation


Action Plan

• Solution determined• Controls required• Required tasks• Action plan • Responsibility

Accountability


Implementation

• Actions executed• Documents revised• Communications

completed• Training satisfied


Follow Up

• Verify and assess the effectiveness


Follow up

• Evaluate actions• Verify tasks• Assess effectiveness• Continuous monitoring• Ensure proper regulatory compliance (if applicable)


PDCA Model used to Monitor the System


What will Auditors look for?

• Promptness• Records• Action• Side effects • Training• Communication


Conclusion Continued

• A common, collaborative approach toward controlling the process greatly influences how operational risk and management system control are planned, executed, tested, measured, monitored and managed to the end objective of greater effectiveness, efficiency, and reduced risk exposure.

February 19, 2015


Contact BSI

Telephone: 888-429-6178 - USA

Email: [email protected]

Website: http://www.bsiamerica.com

LinkedIn: BSI Group America Inc.

February 19, 2015

John [email protected]: 571-830-4555