Most manufacturing sites these days have CAPA systems – a mechanism to capture, record, control and approve or reject Corrective Actions.  Despite the fact that a lot of focus has been given to CAPA in recent years, there is a great deal of misunderstanding and a clear lack of clarity on what CAPA actually is.  This may explain why many organisations feel that they are still in “fire-fighting” mode – always dealing with yesterday’s problems rather than preventing future issues from occurring.

Lack of regulatory guidance

“Corrective and Preventive Action” is mentioned a few times in EU GMP, most notably in Chapter 1 under Product Quality Review (1.5).  The words “CAPA” or “CAPA systems” are not mentioned at all.

Both the FDA’s “Guidance for Industry: Quality Systems Approach to Pharmaceutical CGMP Regulations” (September 2006)and ICH Q10 “Pharmaceutical Quality System” (May 2007 – DRAFT) talk about CAPA and CAPA systems, and here the main problem starts to be highlighted.  This problem comes from combining the two (having CAPA) rather than CA and PA, which are in-fact two distinct processes.

Poor definitions

The FDA’s “Guidance for Industry: Quality Systems Approach to Pharmaceutical CGMP Regulations” (September 2006) talks about CAPA as follows (reference III D):

CAPA is a well-known CGMP regulatory concept that focuses on investigating, understanding, and correcting discrepancies while attempting to prevent their recurrence.  Quality system models discuss CAPA as three separate concepts, all of which are used in this guidance.

  •  Remedial corrections of an identified problem
  • Root cause analysis with corrective action to help understand the cause of the deviation and potentially prevent recurrence of a similar problem
  • Preventive action to avert recurrence of a similar potential problem

And this is very much peoples’ understanding of CAPA.  But dig deeper and in the same document you’ll find contradiction in the glossary with regard to CA and PA.

  • Corrective Action – Action taken to eliminate the causes of an existing discrepancy or other undesirable situation to prevent recurrence.
  • Preventive Action – Action taken to eliminate the cause of a potential discrepancy or other undesirable situation to prevent such an occurrence.

These two definitions are closer to the ISO 9000 series of definitions for CA and PA, which does not join the two up.  In other words Corrective Action is re-active and Preventive Action is pro-activeIt is not possible to do Preventive Action once a problem has occurred, PA takes place before a problem has occurred in the first place.

We can learn a lot from ISO 9000 in how it defines the terms Correction, Corrective Action and Preventive Action. In ISO 9000 theses are defined as below, with an analogy provided by the author.

Correction (3.6.6) – action to eliminate a detected nonconformity.

  • Analogy – we retrain the operator, rework the batch, recalibrate the gauge.

Corrective Action (3.6.5) – action to eliminate the cause of a detected nonconformity.

  • Analogy – we perform a root-cause analysis to find out why the problem occurred and put in mechanisms to prevent it from ever happening again.

Preventive Action (3.6.4) – action to eliminate the cause of a potential nonconformity.

  • Analogy – before we started to run the process we did a detailed risk-assessment of where anything could possibly go wrong and put in systems to prevent these from occurring in the first place.

In many cases where I have seen CAPA systems in pharmaceutical operations the actions that they term Corrective Actions are actually “Corrections”.  The actions that they term Preventive Actions are actually “Corrective Actions” and Preventive Action (doing something before a problem occurs) does not actually feature in the generally re-active CAPA system.

The lack of getting to the root-cause of a problem (doing “Correction” rather than “Corrective Action”) along with no real formal system for Preventive Action may well explain why many organisations are fighting fires and dealing with problems that keep coming back.

This may well not be the case in your own organisation, but I strongly suggest you just take a brief look at what your own internal definitions and general understanding of CA and PA actually are.  This may well be a couple of minutes well spent.

Please feel free to make a comment on what you think of this article.  It has already raised great interest and debate.

4 Comments

  1. David Blackett

    I disagree with you on the interpretation of the definitions and the conclusion.

    CA and PA both should occur after the fact.
    CA is the reactive steps to prevent recurrence (I love that the definition of CA contains “…prevent…”)
    PA is the steps to prevent occurrence elsewhere. I.e. it is not proactive to the event, but it is proactive to OTHER potential related events.

    Here’s the example I give when I provide training, which should make it clearer: Your infant traps its fingers in the kitchen cupboard door.
    – Correction = soothe the baby and apply ice.
    – Root Cause = kitchen cupboard doors open too easily
    – Corrective Action = install childproof locks to the kitchen doors so it never happens again.
    – Preventive Action = look around the rest of the house and notice that the same could happen in the bathroom and so install locks there, and also (bonus PA) notice that the bedroom doors could trap the baby’s fingers so install a child bumper on each.

    In other words, the PA part of a CAPA is to evaluate where the root cause could happen elsewhere, and put controls in place before they occur.

    Here’s an example for our industry: Somebody was supposed to send a report to CROs every month but it hasn’t happened in three months.
    – Correction = send the report.
    – Root Cause = the SOP stated that the department had to do it and no individual was assigned.
    – Corrective Action = assign an individual, and ensure coverage for sickness/vacation.
    – Preventive Action = look at other responsibilities that are performed regularly in the department (e.g. sending other reports) and ensure that individuals are assigned, which coverage for sickness/vacation.

    Hope that clarifies.

    In summary:
    CA = fix it so it never happens again.
    PA = learn from the experience and look around to see if it could happen in some other setting, and prevent it before it does

    Reply
    • Dominic Parry

      Thanks David. Your examples are good BUT the problem is that your examples of PA are reactive – a problem has occurred for something to be done. Had you done these things BEFORE there was a problem, then that would have been PA.

      Reply
      • David Blackett

        Hi Dominic. With respect, if you make changes before there was a problem, you’re not talking about CAPA. You’re talking about periodic review of your processes.

        Your analogy to support your definition of Preventive Action (“Analogy – before we started to run the process we did a detailed risk-assessment of where anything could possibly go wrong and put in systems to prevent these from occurring in the first place.”) appears valid, and it is Preventive Action, but a) it doesn’t really work for repetitive processes, and b) it’s not the PA part of CAPA.

        I believe that any definition of CAPA, including the GMP and ISO 9000 definitions in your article, talks about what you must do after an event, and my examples above show that CA and PA are both separate but important elements that must be performed. Anything that you do before the event has nothing to do with a CAPA.

        It seems to me that with your advice a company would be trying to be proactive all the time, to avoid problems (PAing), but once a problem occurred it would only perform the CA.

        That would lead exactly to the point you make at the end of the article: “…with no real formal system for Preventive Action may well explain why many organisations are fighting fires and dealing with problems that keep coming back.”

        The problem of the infant trapping its fingers in the kitchen doors should never happen again once you install the childproof locks, but if you leave it at that you’re probably going to find that a new problem arises in the bathroom.

        In summary: PA means that once you’ve fixed the problem, look to see if a similar problem could occur elsewhere and fix it before it does.

        Reply
        • David Blackett

          I just realised the process you describe in the blog entry. It’s FMEA.

          “Failure modes and effects analysis (FMEA) is a step-by-step approach for identifying all possible failures in a design, a manufacturing or assembly process, or a product or service.”
          (From http://asq.org/learn-about-quality/process-analysis-tools/overview/fmea.html)

          This is what you do before a process to identify all potential issues. CAPA is what you do after something has gone wrong.

          So to resummarise my summary from above:
          FMEA = systematically review your processes before anything goes wrong to avoid issues
          CA = once something does go wrong, fix it so it never happens again.
          PA = learn from the experience and look around to see if it could happen in some other setting, and prevent it before it does

          Reply

Leave a Reply