Copyright © 2015 BSI. All rights reserved.
From CAPA to Risk Management and Resilience
February 19, 2015
John DiMaria; CSSBB, HISP+, MHISP, AMBCIISO Product Manager
British Standards Institution
2Copyright © 2015 BSI. All rights reserved. February 19, 2015
Agenda
• A Look Back into History• Beginning of CAPA• Corrective/Preventive Comparison
• Risk Management and Resilience• Risk-Based Thinking• The Risk Assessment Process• How Risk Management Drives Preventive Action and Continual Improvement
Copyright © 2015 BSI. All rights reserved.
Corrective and Preventive Action
February 19, 2015
4Copyright © 2015 BSI. All rights reserved.
Background
Walter Shewhart
February 19, 2015
W. Edwards Deming
5Copyright © 2015 BSI. All rights reserved.
CAPA Process
• Characterize – Identify the problem & assemble the right team• Investigate – Research the problem and identify Root Cause• Analyze – Perform a thorough assessment• Action Plan – create a list of required tasks• Implementation – Long term permanent action• Follow Up – Verify and assess the effectiveness
February 19, 2015
6Copyright © 2015 BSI. All rights reserved. 6
Source: 1-10-100 Rule; Total Quality Management, Joel E.Ross
The rule explains how failure to take notice of one cost escalates the loss in terms of dollars.
Corrective Actions
•The process of reacting to an existing problem, customer complaint or other nonconformity and fixing it.
•Corrective action eliminates the cause of nonconformities to prevent recurrence – ISO 9001
February 19, 2015
7Copyright © 2015 BSI. All rights reserved.
Preventive Actions
A preventive action is a process for predictingpotential problems or nonconformances and eliminating them. The process includes:• Identify the potential problem or nonconformance • Risk assessment• Develop a plan to prevent the occurrence• Implement the plan• Review the actions taken and the effectiveness in preventing the problem
February 19, 2015
8Copyright © 2015 BSI. All rights reserved. February 19, 2015
Why CAPA?
• Regulatory Requirements•Regulatory bodies such as FDA, EPA and virtually every ISO standard requires an active CAPA program as an essential element of a management system.
• Customer Satisfaction• The ability to correct existing problems or implement controls to prevent potential problems is essential for continued customer satisfaction
• Good Business Practice• Quality problems can have a significant financial impact on a company
9Copyright © 2015 BSI. All rights reserved.
CAPA Procedures
•Properly documented actions provide important historical data for a continual improvement plan and are essential for any product that must meet regulatory and ISO requirements.
February 19, 2015
10Copyright © 2015 BSI. All rights reserved.
What is a nonconformance?
• A nonconformance may be defined as “the failure to comply with some specified standard or criteria.”
• 3.6.2• nonconformity• non-fulfillment of a requirement (3.1.2) ~ ISO 9000 ~
February 19, 2015
11Copyright © 2015 BSI. All rights reserved.
When do I raise a CAPA
You define:
• Those events that are systemic issues and pose a potential adverse impact on the business• Any event that deviates from expected performance•When planned results are not achieved, correction and corrective action shall be taken, as appropriate ~ ISO 9001 8.2.3 Monitoring ~
Use Risk to Ensure Effectiveness
February 19, 2015
12Copyright © 2015 BSI. All rights reserved. February 19, 2015
Not Everything Needs to be a CAPA
• If everything is a CAPA project you instill the “Sky is Falling” syndrome
13Copyright © 2015 BSI. All rights reserved.
Characterize the problem & assemble the right team
• The initial step in the process is to clearly define the problem or potential problem.• This should include:• The source of the information and data• A detailed description of the problem• Any documentation of the available evidence that a problem exists.
February 19, 2015
14Copyright © 2015 BSI. All rights reserved.
A detailed description of the problem
•A description of the problem is written, concise and complete •The description must contain enough information so that the specific problem can be easily understood and data is easily translated
February 19, 2015
15Copyright © 2015 BSI. All rights reserved.
Key Terms and Definitions
• Symptom - A quantifiable event or effect experienced by customers that indicates the existence of a problem
• Containment - An action that prevents symptoms from being experienced by the customer
• Emergency Response Action ERA - An action taken to isolate customers from symptoms
• Interim Containment Action - Action taken to protect the customer once a complete problem description is available
• Potential Cause - Any cause that describes how an effect may have occurred
• Verified Cause - A Potential Cause verified by data that explains the problem description
February 19, 2015
16Copyright © 2015 BSI. All rights reserved.
Root Cause
•Root Cause is the fundamental breakdown or failure of a process which, when resolved, prevents a recurrence of the problem
Or, in other words:• For a particular product problem, Root Cause is the factor that, when you fix it, the problem goes away and doesn’t come back• Root Cause Analysis is a systematic approach to get to the true root causes of our process problems
February 19, 2015
17Copyright © 2015 BSI. All rights reserved. February 19, 2015
A Good Investigative Process
• Follow a defined investigation strategy• Assignment of responsibility and required resources – Owner• You need a complete review of all circumstances that could have contributed to the problem:
18Copyright © 2015 BSI. All rights reserved.
Closing the Loop
• Root cause• Secondary situations• Prevention• Side effects• Monitoring
Copyright © 2015 BSI. All rights reserved.
From CAPA to Risk Management and Resilience
February 19, 2015
Copyright © 2015 BSI. All rights reserved.
What is Business Continuity
February 19, 2015
Business continuity is the capability of an organization to continue delivery of products or services at acceptable predefined levels
following a disruptive incident(ISO 22301 – Societal security – Terminology)
Copyright © 2015 BSI. All rights reserved.
What is Resilience
February 19, 2015
Ability to recover readily from adversity or incidents that threaten profitability and
existence or the like; buoyancy.“Business continuity contributes to a more resilient society” – ISO 22301
22Copyright © 2015 BSI. All rights reserved.
Preventive Actions
Annex SL Directive 1
“Actions to address risks and opportunities”
Risk Based Thinking
February 19, 2015
23Copyright © 2015 BSI. All rights reserved.
Preventive Actions
Business dictionary: Preventive ActionAn action taken to reduce or eliminate the probability of specific undesirable events from happening in the future. Preventative actions are generally less costly than mitigating the effects of negative events after they occur, but may also be seen as a waste of resources if the predicted event does not take place. Risk analysis and assessment techniques are used to calculate the probability of specific negative events, in order to determine the cost-effectiveness of potential preventative actions.
February 19, 2015
24Copyright © 2015 BSI. All rights reserved. February 19, 2015
“FDA agrees that the degree of corrective and preventive action taken to eliminate or minimize actual or potential nonconformities must be appropriate to the magnitude of the problem and commensurate with the risks encountered…FDA does expect the manufacturer to develop procedures for assessing the risk, the actions that need to be taken for different levels of risk, and how to correct or prevent the problem from recurring, depending on that risk assessment.”
61 Fed. Reg. at 52633-52634
Federal Regulations
25Copyright © 2015 BSI. All rights reserved.
“FDA agrees that the degree of corrective and preventive action taken to eliminate or minimize actual or potential nonconformities must be appropriate to the magnitude of the problem and commensurate with the risks encountered…FDA does expect the manufacturer to develop procedures for assessing the risk, the actions that need to be taken for different levels of risk, and how to correct or prevent the problem from recurring, depending on that risk assessment.”
61 Fed. Reg. at 52633-52634
February 19, 2015
Risk Assessment
Risk 1
Risk 2
Risk 3
0
1
2
3
4
5
6
7
8
9
10
0 1 2 3 4 5 6 7 8 9 10
Insi
gnifi
cant
C
onse
quen
ce
Cr
itica
l
Probability
26Copyright © 2015 BSI. All rights reserved. February 19, 2015
27Copyright © 2015 BSI. All rights reserved. February 19, 2015
28Copyright © 2015 BSI. All rights reserved. February 19, 2015
• Threat (or potential failure)
• Vulnerability
• Impact
• Mitigating Controls
• Controls Implemented
• Owner
Basic Steps in Risk Assessment
29Copyright © 2015 BSI. All rights reserved. February 19, 2015
• Likelihood
• Detection
• Risk Priority Number (RPN)
Additional Steps in Risk Assessment
30Copyright © 2015 BSI. All rights reserved. February 19, 2015
31Copyright © 2015 BSI. All rights reserved. February 19, 2015
Sample Task List
32Copyright © 2015 BSI. All rights reserved.
Action Plan and Implementation
33Copyright © 2015 BSI. All rights reserved.
Action Plan
• Solution determined• Controls required• Required tasks• Action plan • Responsibility
Accountability
34Copyright © 2015 BSI. All rights reserved.
Implementation
• Actions executed• Documents revised• Communications
completed• Training satisfied
35Copyright © 2015 BSI. All rights reserved.
Follow Up
• Verify and assess the effectiveness
36Copyright © 2015 BSI. All rights reserved.
Follow up
• Evaluate actions• Verify tasks• Assess effectiveness• Continuous monitoring• Ensure proper regulatory compliance (if applicable)
37Copyright © 2015 BSI. All rights reserved.
PDCA Model used to Monitor the System
38Copyright © 2015 BSI. All rights reserved.
What will Auditors look for?
• Promptness• Records• Action• Side effects • Training• Communication
39Copyright © 2015 BSI. All rights reserved.
Conclusion Continued
• A common, collaborative approach toward controlling the process greatly influences how operational risk and management system control are planned, executed, tested, measured, monitored and managed to the end objective of greater effectiveness, efficiency, and reduced risk exposure.
February 19, 2015
40Copyright © 2015 BSI. All rights reserved.
Contact BSI
Telephone: 888-429-6178 - USA
Email: [email protected]
Website: http://www.bsiamerica.com
LinkedIn: BSI Group America Inc.
February 19, 2015
John [email protected]: 571-830-4555