Corrective and Preventive Action:
The Closed-Loop System
Summary
The Corrective and Preventive Action
(CAPA) process is a fundamental process
that affects all of the control points in a
company’s management system. Auditors
tend to look deeply into companies’ CAPA
process during investigations. Key
questions typically asked include:
• Are CAPAs followed-up in a timely
fashion?
• Do records prove that all actions have
been completed successfully?
• Are all recommended changes
completed and verified?
• Was the actual root cause identified?
How was it validated?
• Was action taken to correct or prevent
the problem and ensure it will not
happen again?
• Has it been demonstrated that actions
taken have no adverse effects on
products or services?
• Was training performed and
communications issued to assure that
all relevant parties understand the
situation that occurred and the changes
that have been made?
To better manage the issues that launch
the CAPA process, companies need to
optimize their practices by implementing
efficient, closed-loop CAPA processes.
Every good CAPA process should have a
built-in audit process to verify and validate
that the CAPA system is at optimal
performance. Data and evidence tracking
is a critical component of action
management as well, so the organization
can ensure that all non-conformance
information can be confirmed, monitored,
measured, and, if necessary, corrected.
With nearly every ISO standard,
e.g. ISO 9001, ISO 13485, ISO 14001,
ISO/IEC 27001, or OHSAS 18001,
organizations must determine the actions
they can take to eliminate the causes of
potential nonconformities.
A company’s ability to rapidly correct
existing problems and implement controls
to prevent potential problems is essential
to ensure customer satisfaction and
achieve operational success. Even more,
regulatory bodies, such as the Food and
Drug Administration (FDA), CFR - Code of
Federal Regulations Title 21 and
Environmental Protection Agency (EPA),
and Resource Conservation and Recovery
Act (RCRA) require a corrective action
program, to ensure the protection of all
interested parties.
While a CAPA process must meet the
necessary industry compliance
requirements, it also must be effective.
Otherwise, managers will find themselves
in a constant state of response and the
CAPA process becomes a bottleneck.
How CAPA Works: It’s All About Improvement
A preventive action is created to offset a
potential problem. While the preventive
action process can contribute to the
overall continual improvement effort, its
main objective is to eliminate potential
problems before they occur. Corrective
actions, on the other hand, provide
managers with not only the data they
need to construct an effective and
efficient closed loop corrective action
process but can be used as input into
preventive actions from lessons learned
reports and data provided. Using both
types of actions enables a company to
transform itself from an operation that is
continually reacting to failures, to one
with the processes in place to prevent
problems in the first place. Ultimately the
company saves time and money and,
most importantly, retains customers.
Interested
Parties
INPUTS
Establish
System
rn
Lea
PLAN
Maintain and Improve
the System
RESPOND DO
RECOVER
CHECK
rn a
Le
Monitor and Revies
the System
DETECT
Requirements
and
Expectations
Figure 1 - Close Loop Process
Corrective and preventive actions are
processes that may be used to achieve
continual improvement. Continual
improvement reflects an ongoing effort to
improve products, services, or processes.
It can be incremental improvement over
time or breakthrough improvement all at
once. For instance, an organization’s
delivery processes are constantly
monitored and evaluated in light of the
fact that they are already considered to be
effective; improvement may come in the
form of making the processes more
efficient. Improved efficiency could lead to
a decrease in administrative and
operations costs, thereby lowering the
costs of goods and services and providing
an opportunity to lower prices to be more
competitive and win more business.
Interested
Parties
OUTPUTS
Le
ar
n
Implement
and Operate
ACT the System
PREVENT
L ea
rn
Managed
System
Companies that implement a closed-loop
CAPA process can expect to experience
satisfying and cost-effective results. See
Figure 1 for an illustration of a closed loop
CAPA process and how it ties in to the
Plan, Do, Check, Act process. Through
continuous monitoring, issues are
highlighted, thereby allowing them to be
addressed real-time. Consequently, the
closed-loop process reduces the number
and severity of issues that occur. Over
time, organizations build an intelligent
knowledge base and can implement
additional preventive actions, thereby
being more proactive, further improving
processes and operations throughout
their facilities. As a result, customer
satisfaction improves and the bottom line
moves in the right direction.
In addition to these advantages, a closed-
loop CAPA process ensures that best
practices are consistently applied to the
processes that support compliance
requirements. Properly documented
actions provide managers with important
historical data, which may be used to
implement continual improvement plans;
a well thought, integrated process can
help in the capture and dissemination of
operational intelligence related to
these actions.
Defeating Non-conformities
When implementing a CAPA process, it is
important to define all of the non-
conformities that could impact a
company’s operations. Having a good
grasp of the non-conformities helps
managers write procedures and design
actions that will be taken when a
corrective action plan is launched.
But what is a non-conformity? A non-
conformity is defined as a deviation from
a specific procedure, standard, stated
process, or system requirement. When
defining nonconformities, it is important
to identify the potential severity of the
impact they could have on a management
system. For example, a major
nonconformity could be an actual or
potential deficiency that will seriously
affect the management system. A minor
one would be a less serious more isolated
incident, such as a documentation/work
instruction error or inaccuracy.
20
18
4.2
16
Documentation
14 Requirements
12
10
0
4 4.1 4.2 5 5.1 5.2 5.3 5.4 5.5 5.6 6 6.1 6.2 6.3 6.4 7 7.1 7.2 7.3 7.4 7.5 7.6 8 8.1 8.2 8.3 8.4 8.5
Figure 2 - Non-conformance by clause
Some of the many issues related to the
CAPA process are:
• Poor documentation of requirements
• Failure to document and communicate
updates or process improvements
following a CAPA
• Inability to trace training documents
• CAPAs that are outdated or closed
without validation
• Missing or misplaced data
• E-mail sandwiches 1 companies to avoid or minimize the
• Failure to monitor critical controls
8.2
Monitoring &
Measurement
As illustrated in Figure 2, BSI ISO 9001
field audit results over a twelve month
period reveal that the majority of
nonconformities are raised in the areas of
document and record control closely
followed by monitoring & measuring, and
improvement. All three are closely linked,
as a good CAPA system requires good
documentation and continuous
monitoring in order to deliver continual
improvement.
A closed-loop CAPA process enables
occurrence of issues, as managers are
better able to characterize problems and
assemble the best possible cross-
functional team of people to successfully
tackle them.
1
A CAPA record that is sandwiched in by multiple
untraceable e-mails that should be formally
documented evidence.
8.5
Improvement
Not
Defined
Opening a CAPA
Some organizations open a CAPA for
every event, regardless of its severity or
potential impact. However, this creates
bottlenecks because employees become
so focused on their CAPAs that they find it
difficult to focus on their other day-to-day
responsibilities. It also creates a feeling of
chaos and concern that “the sky is falling”;
continuous improvement suffers by trying
to keep up with CAPAs.
ISO 9001:2008 simply states that when
planned results are not achieved,
appropriate corrective action shall be
taken. It goes on to say that when
managers are determining suitable
actions, they would be wise to consider
the type and extent of monitoring or
measurement they plan to undertake. This
is similar for many other ISO standards.
Severity
Extensive
Major
Medium
Minor
No Impact
Highly Unlikely
unlikely
Figure 3 Example Risk Matrix
Any actions taken should be appropriate
to each process related to the problem
and should be considered in relation to
their impact on conformity to product
requirements and the effectiveness of the
management system. If the system is
monitoring wrong or contaminated data,
companies basing actions and assigning
resources to implement those actions
could find themselves wasting resources
and money.
Risk assessment is a good way to avoid
this effect. Risk matrices2 help managers
and teams to clearly define risk, severity,
and potential impact. They also help
determine which procedures, designs, and
controls best define expected
performance. The higher the risk, the more
likely it will be necessary to launch a
corrective or preventive action. An
example of high risk situations are those
associated with medical device
Possible Likely Very likely
nonconformities. In fact, the in vitro
diagnostics (IVD) and the Medical Device
(MD) Directives would require risk based
investigations for CAPAs especially if they
are related to complaints and reportable
events. Thorough investigations are
mandatory for the FDA, Health Canada,
and other competent authorities, such as
the Federal Financial Institutions
Examination Council and Federal Deposit
and Insurance Corporation in the financial
industry and the Environmental Protection
Agency in the environmental sector. These
are only just a few examples where an
industry sector regulation mandates a
specific CAPA process.
In addition to predicting problematic
events, risk assessment may suggest
monitoring a particular aspect of a
process or product. The results of the
monitoring may yield measurements and
analysis that help managers’ spot trends
that in turn will justify the opening of a
CAPA. In many companies, the compilation
of results is aided by software tools that
provide a framework for the analysis that
is critical to an effective CAPA process.
2
Risk Matrices - are mainly used to determine the size of a
risk and whether or not the risk is sufficiently controlled.
It looks at how severe and likely an unwanted event is.
Catagories
Not Acceptable
ALARP
Acceptable
Probability
Responding to a CAPA
Once a CAPA has been opened, a cross-
functional team should be assembled to
respond to the event and clearly define
the (potential) problem. Team members
should consider the source of the
information and data. They also must
obtain or draft a detailed description of
the problem and consult any
documentation and/or data that provides
evidence that a problem exists. The team
then must evaluate the situation to
determine both the need for action and
the level of action required.
When evaluating the problem the team
should consider the potential impact of
the problem in terms of its risk to the
company and its customers, as well as any
immediate action that may be required.
They also must determine and document
why the problem is a concern and what
impact it may have on the company and
its customers. Typical concerns can
include costs, functions, product quality,
safety, reliability, and customer
satisfaction.
The potential impact and risk assessment
may indicate the need for some kind of
immediate action to remedy the situation
for the short term until a permanent
solution is developed and implemented. If
the remedial action solves the problem
adequately, the CAPA can be closed.
However, the team must document the
rationale for its decision and complete
appropriate follow-up to validate
effectiveness of the action.
Define the Probem:
Enter Problem
Statement Here
Why?
Enter 1st “Why” here
Because
Why?
Because
Figure 4 - Five Why’s
It is important to document the specific
source of the information that is gathered
by the team. The information collected
helps with the investigation and
developing an action plan. It also helps the
team evaluate the effectiveness of the
action and communicate how a problem
has been resolved. Some sources of good
information include service requests,
customer complaints, internal audits, and
staff observations. Trend data also can be
gathered from Quality Assurance (QA)
inspections, process monitoring, and risk
analysis. The data gathered must be
properly organized and shared through
some sort of relational database. This
data, when properly organized and
disseminated, becomes operational
intelligence that may be leveraged by the
entire organization to help improve
performance.
Defining the Root Cause
A problem statement is a clear concise
description of the issues that need to be
addressed by the assembled team, and
not just a byproduct of a quick
brainstorming session. The description
must contain enough information so that
the specific problem statement can be
easily understood. Data supporting the
statement also must be easy to translate.
The problem statement may have to be
reviewed several times until the entire
team is clear and in agreement about the
task at hand.
Therefore
Enter 2nd “Why” here
Therefore
Why?
Enter 3rd “Why” here
Because
Why?
Enter 4th “Why” here
Because
Next, the team must conduct a detailed
investigation of the circumstances that
created the problem by performing root
cause analysis. Eliminating the root cause
is the only way to prevent the problem
from recurring. Many problem-solving
techniques help in this phase of the
process. The most popular techniques
include use of process mapping, Fish
Bone, and the Five Whys.
The 5 whys have been criticized in the
past because it is very basic:
• Tendency for the team to stop and
address symptoms rather than going on
to lower-level root causes.
• Inability to go beyond the team’s current
knowledge - cannot find causes that
they do not already know.
• Lack of support to help the team ask the
right “why” questions.
• Results are not repeatable - different
people using 5 Whys come up with
different causes for the same problem.
• Tendency to isolate a single root cause,
whereas each question could produce or
uncover different associated root
causes.
These can be significant problems when
the method is applied through deduction
only. On-the-spot verification of the
answer to the current “why” question
before proceeding to the next is
recommended to avoid these issues.
The Root Cause
is the Last Cause
in the Cause Chain
Therefore
Therefore
Why?
Enter 5th “Why” here
Because
The Fishbone diagram on the other hand
is considered a more holistic approach to
problem solving and root cause analysis.
Causes in the diagram are often
categorized, such as to the 5 M’s,
(Machine, Manpower, Machines, Methods,
and Measurements). Cause-and-effect
diagrams can reveal key relationships
among various variables, and the possible
causes provide additional insight into
process behavior.
Causes can be derived from brainstorming
sessions. These groups can then be labeled
as categories of the fishbone. They will
typically be one of the traditional
categories mentioned above but may be
something unique to the application in a
specific case. Causes can be traced back to
the actual problem.
Root Cause Analysis requires asking a
series of questions to identify all of the
possible causes that could explain why
the problem occurred. It also helps to
identify why the problem was not noticed
earlier. Then, all causes should be verified.
Once the root cause is established, the
team should work together to create a list
of required tasks and implement pre-
Topic Name
Figure 5 - Fishbone Diagram
production, process or design experiment
programs to quantitatively confirm that
the prescribed solution actually will
resolve the problem. It is important to
note if employee training should be part
of the action plan. To be effective, all
modifications and changes must be
communicated to all persons,
departments, suppliers, etc. that were or
will be affected. Automated tools can
facilitate these communications to
stakeholders and also ensure that
communications are received and
acknowledged.
Solution
The next step is implementing the
solution. It is important to confirm and
verify that all of the required tasks
described in the action plan are initiated,
completed, and documented. At the same
time, necessary changes to documents,
processes, procedures, or other system
modifications must be described in a clear
and concise manner and should specify
the desired outcome of any changes. As
one may imagine, in complex processes,
discovering the potential impact of an
Category 1
Factor
Factor
Factor
Factors and/or Categories of Factors
Factor
Factor
Factor
Category 3
action plan may be difficult. In this
instance, a programmed tool with a
comprehensive search function can ease
the discovery process and help ensure
that affected areas are uncovered,
considered, and addressed.
Once the long term permanent action is in
place, the team needs to ensure that it has
records of all actions taken. It also must
have a plan in place to follow-up, verify,
and assess the effectiveness of the
solution it has implemented after a pre-
determined period of time. The team also
should implement preventive measures
such as modifying management systems,
operation systems, practices, and
procedures to prevent reoccurrence of
this nonconformity and all similar types of
problems.
As this is not a “one size fits all” process, it
is up to the team to determine the
verification method and timeline required.
In some cases (depending on your
industry) your customer contract may
dictate a specified amount of time that
processes must be monitored during and
after corrective action.
Category 2
Factor
Factor
Factor
Factor
Factor
Factor
Category 4
Unleashing the Power of CAPA with a Closed-Loop System
The objective of a Closed-Loop system is Non-conformances and Corrective and Preventive Actions
to utilize CAPA opportunities by
systematically converting them into inputs
that connect to specific tasks that are Identify Create
assigned to process owners to be carried non-confromance scorecard of
out until closure, verified and then during ad-hoc and Non-conformance
redirected back into the CAPA system for checklist audits and CAPA statistics
final disposition and/or continuous
monitoring. The CAPA process will provide
feedback to managers for necessary
Record
process improvements. This in turn Record Non-confromance
Non-confromance
enables them to continuously improve Non-confromance Resolved
Owner
how they proactively address and prevent
nonconformities.
Checking the effectiveness of a closed- Record Action
loop CAPA process has to be structured Root Cause Approved
and diligent. CAPA data must be easy to
access and analyze, while having a
continuous feedback loop. Automating Notify Person
forms-based processes like CAPA, Create Action Notify Action
Responsible
facilitates compliance and saves CAPA Completed Approver
for Action
companies’ time and resources; with
automation, the concerns of regulators,
auditors, and other stakeholders may be
easily addressed.

Manage CAPA

Create
CAPA

Approval
Assign Specify Complete
of Action
Responsibility Due Date Actions
Complete

Set Reminder
Notifications
Notifications
Establish are sent by the
Notifications system based
on user
applied rules

Set Escalation
Notifications

Figure 6: Example automated Closed-Loop CAPA


Without a closed-loop system, the ability
for the CAPA process to effectively
communicate is compromised. As a result,
risk increases because there is no logical
flow that can be followed. While any
regulated company can ill-afford to work
in such an environment, virtually every
organization has to uphold customer,
internal and industry standards
In an optimal approach for a closed-loop
system, resources are managed as a
series of interconnecting processes. The
system identifies, understands, and
manages processes that have
interrelationships. Inputs and outputs of
the system are also monitored to ensure
the process is meeting its expected
performance. This optimal approach takes
a certain amount of automation to be
effective. An example of a workflow
element of an automated closed-loop
system is shown in Figure 4. We can see
that key processes are integrated and
tracked to ensure that responsibility and
tasks are assigned, root cause analysis is
captured, and the final action plan is
documented, implemented, and verified.
Key owners are established, notified and
documented as are the start dates and
due dates. Automatic reminders and
escalation notifications ensure the
process and tasks are on track.
For more information, call 888-429-6178
or visit www.bsiamerica.com
BSI Group America Inc.
12950 Worldgate Drive, Suite 800
Herndon, VA 20170
USA
Tel: 1 888 429 6178
Fax: 1 703 437 9001
Email:
[email protected]
Fax: 1 416 620 9911
www.bsiamerica.com
[email protected]
Conclusion
While implementing a closed-loop CAPA
process can be an expense for companies,
the cost of inaction is higher (i.e. ad hoc
investigation of incidents, unclear
assignment of accountability, assets over
or under protected, and fines or
suspensions levied by regulatory
authorities).
One way to contain costs is to subject
both preventive and corrective actions to
the same closed-loop process.
Furthermore, preventive actions, in
particular, need to be thoroughly
investigated and justified, both at the time
of implementation and on a regular basis
going forward, in order to avoid
unintended consequences that could lead
to non-conformities.
BSI Group Canada Inc.
6205B Airport Road, Suite 414
Mississauga, Ontario
L4V 1E3
Canada
Tel: 1 800 862 6752
product or service.
www.bsigroup.ca
www.bsigroup.ca/fr
Manually meeting the requirements of a
closed-loop system is a very daunting
task, which may tax resources in a manner
that can lead to the deterioration and
disuse of the CAPA process. An enterprise
level, role-based, automated software tool
will encourage stakeholder participation in
the CAPA process; the facts and figures
associated with CAPA will become
operational intelligence; and the
organization’s operational intelligence
quotient can greatly improve, thereby
improving the likelihood of implementing
and sustaining a top-notch, close-loop
CAPA process.
By leveraging intelligence to drive
operational excellence, companies are
relying on automated closed-loop systems
to implement a systematic and consistent
CAPA process across the organization for
increased transparency, effectiveness, and
efficiency.
The BSI certification mark may be used on your
stationery, literature and vehicles when you have
successfully achieved certification and conform
with applicable guidelines.
The mark shall never be applied directly on the
Copyright © 2013 The British Standards Institution. All Rights Reserved.