Risk Management (03) – The Regulatory Requirements For Risk Management

December 5th, 2019 Posted by Requirements Management Tool 0 thoughts on “Risk Management (03) – The Regulatory Requirements For Risk Management”

Pharmaceutical/Medical Device/Automotive Regulatory Requirements

According to regulatory bodies, medical devices, pharmaceutical or automotive manufacturers should be implementing Quality Risk Management (QRM) systems when accessing the risks that come with the production of products that introduce safety issues to the user/operator/technician of the device. In this post, we will be addressing the relevant quality standards and regulatory guidelines.

The United States Food and Drug Administration (FDA)

Below are 5 crucial points from the FDA Guidance for Industry: Quality Systems Approach to mentioned industries cGMP regulations (2006).

21 CFR Part 11 – Scope and Application 2003: This guidance is the documentation of the FDA’s approach for electronic records and signatures. They recommend that for implementation of key requirements of Part 11 they should base the decision on a documented and justified risk assessment. Also, consideration should be given toward the potential of the system to influence product quality, record integrity, and safety. 

  • Additionally, the decision to include audit trails should be based on justified and documented risk assessment.
  • The Orcanos QMS system fully complies with the regulatory requirements and it includes a built-in electronic signature and audit trail according to 21 CFR Part 11. It comes with a complete validation package to assist users to include it in their audit inspection.

 Orcanos Electronic Signature

European Regulations: There is a legal status for Annex 15 to the EU GMPs Validation and Qualification. It utilizes a risk-based process for validation of changes to components, systems, facilities, and equipment. To determine the extent and scope of validation, use a Risk Assessment Approach. It crucial to always evaluate the possible effect of changes in facilities, equipment, and systems on the product. Also, do not forget to include a risk analysis report.

In the Orcanos Design Control module, there are several tools that allow you to conduct the assessment of a change. It gives you tools to raise subspecies indicators which are based on existing traceability between artifacts or to asses risk to newly introduce change as part of the risk assessment process.

Orcanos Suspicious Effect on Change Report

There is a legal status for Annex 11 to the EU GMPs for using computerized systems. It mandates that control for computerized systems be based on a document and justified risk assessment. Likewise, the level of validation and data controls have to be in line with a proper and documented risk assessment.

Orcanos computerized system is a validated system and it comes with a validation package that is complying with the regulatory requirements for both the USA and EU.

International Conference for Harmonisation ICH Q9/ISO 14971/ISO 26262: It is regarded as the most important document when it comes to risk assessment for the pharmaceutical/medical device/automotive correlated sector.  The ICH focuses on how scientific knowledge plays a role in the protection of patients in the life industry and ISO 14971 focuses on the hazardous situation and potential mitigation while the ISO 26262 focus on safety issues related to critical components. These reference documents provides guidance on implementation processes. The three major principles that govern quality risk management are; 

  • Always use scientific knowledge were possible, as a base for evaluating risks to product quality and relate it to patient protection.
  • The extensiveness of the documentation, effort, and formality regarding risk management processes should reflect the level of risk.
  • Learn from the existing market what could go wrong in your device.

It might not always be necessary or appropriate to make use of a formal risk management process. For instance, using a well-known tool for an internal process like a standard operating procedure. Similarly, it is acceptable to use informal risk management processes or standard operating procedures for internal processes.

International Standards Organisation (ISO): The organization has three standards that address risk management. They are;

  • ISO 14971 – Medical Devices
  • ISO 31000 – General purpose risk management projects
  • ISO 31010 –  General purpose risk management projects


NOTE: There is a major difference between ISO 31000 and ISO 31010 despite addressing the same risk management problems. ISO 31000 highlights principles and guidelines, while ISO31010 describes risk assessment techniques.

ISO 14971: 2012 (Application of Risk Management to Medical Devices): While this document is for medical devices, the FDA recommends it to the pharmaceutical industry, others recommended it for the automotive as well. In this international standard, there is an outline that manufacturers can follow to identify potential hazards that concern medical devices. Also, it covers in-vitro diagnostic devices (IVD). Using the stipulated process, manufacturers can evaluate, and estimate the level of risk and take actions to control and monitor the risks. Likewise, the manufacturers will have criteria that will help them determine the effectiveness of the controls.

Throughout the lifecycle of any medical device, the requirements in this standard are applicable. However, it does not extend to clinical decision making, neither does it specify what risks levels are acceptable. Finally, the standard does not mandate that manufacturers use a quality management system. Nevertheless, a risk management system is a crucial part of the quality management system.

Reference Links

Risk Management – orcanos FMEA Risk Management Tool
Generate Risk Management File Risk Management (ISO 14971) by Orcanos, based on FDA 2017 Recalls
Orcanos Risk Management – Add Traceability Matrix ALM Requirements Traceability Matrix Tools
10 Reasons why to use EQMS 21 CFR Part 820
Risk Management (01) – Introduction to Quality Risk Management (QRM) Risk MANAGEMENT (02) – THE BENEFITS OF FAILURE MODE AND EFFECT ANALYSIS (FMEA)



November 26th, 2019 Posted by ISO 14971, RISK Assessment, Risk Management 0 thoughts on “RISK MANAGEMENT (02) – THE BENEFITS OF FAILURE MODE AND EFFECT ANALYSIS (FMEA)”

The Quality RISK Management system 9 major benefits and what are the 5 top areas you should consider using it?

Here in this post, you will hear all about the QRM system and the fundamental of the FMEA process. This post and all other future posts refer to not just the Medical Device industry but also the Automotive and Pharma so some adaptation to your world may be required but still, all principals will be uncovered here. For the automotive it is common to say that the severity of the failure mode is taken into consideration as well as the effect the failure mode, should it occur, will have on the component, system, process, vehicle, or customer. The two main types of FMEAs used in the automotive industry are design FMEAs (DFMEA) and process FMEAs (PFMEA).


  1.   An effective FMEA will add to upper reliability, enhance safety and improve quality.
  2.   There will be a shortage of innovative ideas that will help improve similar designs or processes.
  3.   Manufacturing and design efficiency will increase.
  4.   Documents on the improvements made as a result of corrective action implementation will be available (better CAPA effectiveness).
  5.   It will prevent late changes in issues.
  6.   It will reduce the chances of repeating the same failure in the future.
  7.   The cost and time for system development reduce.
  8.   There will be an encouragement for teamwork and effective communication between functions – collaboration.
  9.   It helps improve company competitiveness and image.

Patient Safety

In the industry of live science, manufacturers, vendors, and quality analyst have to combat challenges that involve Patient Safety, Staying Competitive, and Regulatory GxP requirements. The challenges are unavoidable due to the rapidly changing and evolving environment. It is up to these professionals to produce products that are;

  • Fit for purpose.
  • Right first time.

Regulatory agencies always expect a risk-based compliance model that will balance Cost and Compliance effort against Product Quality and Patient Safety. It is impossible to test quality into products, hence, it is imperative that they come with the design. One of the ways to ensure built-in quality with the design is to incorporate some of the latest theories and technology into the design control, manufacturing and post-marketing surveillance process.

Following encouragement from regulatory bodies, the medical device, automotive and pharmaceutical industry are using Quality Risk Management and Quality by Design to incorporate new standards. In some standards such as ICH Guidance Q9 (Quality Risk Management) and ISO 14971, three major topics are addressed namely;

  1. Risk Management
  2. The Identification of Risk
  3. Risk Minimization

Quality Risk Management is a systematic process of assessing, controlling, communicating and reviewing of risks that might disrupt the quality of a Medical/Automotive/Pharma product. However, to achieve QRM, Quality Assurance should be treated as a proactive process. In other words, try to identify potential problems, effects and find solutions to them before they occur. This is the reason for practicing Failure Mode and Effect Analysis (FMEA) is necessary.


FMEA Risk Management

Orcanos RISK management reports

Explaining Risk

As we go further into the discussion of Quality Risk Management, it is important to define Risk. Risk is the combination of the potential for harm to occur and the severity of that harm.

Mathematically, Risk = Probability * Severity.

For example, there is a low probability of occurrence of a hazardous event happening during a drug/car/device manufacturing process. The reason is that it has happened just once in the last ten years. However, the severity of the hazard is high, since it can lead to death and destruction of many to use it. Therefore, the resulting risk in such an event is high and it must not be ignored.

Orcanos quality system includes fully comply RISK management system which allow your to configure and practice the FMEA. You can change the calculation factors according to your device level of concern and to make sure it is all audit traced for all changes and modifications. Orcanos system will generate for your the FMEA table automatically with the traceability to mitigation by design.

Source of Risk

A lot of risks comes with the manufacturing process of medical/automotive/pharmaceutical products. The sources of these risks include;

  • Poor Facility Design
  • Poor Process Design
  • Poor Control Plans and SOPs
  • Poor Storage
  • Poor Material Flow
  • Safety Hazards
  • Poor Logistics
  • Raw Material Variation
  • Unclear Customer Expectations
  • Poorly Developed Specifications and Limits
  • Cross Contamination
  • Lack of Product Understanding
  • Poor post-marketing surveillance
  • Poor CAPA processes 

To manage risk effectively, it is crucial to understand the level of risk at each stage of production or application.

Understanding Quality Risk Management (QRM)

Quality Risk Management (QRM) is a systematic way of identifying risks to patient/passenger  safety and product quality, then analyze the risk and design a plan to either reduce or manage the risk. It is important that QRM follows the scientific rationale and the approach should follow scientific principles based on;

  1. Quality Risk Management (ISO 14971)
  2. Quality By Design (QbD)

The goal of QRM is to convert scientific knowledge on the design control, manufacturing process, post-marketing surveillance (PMS) and product into documentation. For example, both equipment qualification and design specification are documentations that highlight product use and ways to reduce risk to product quality and patient safety. It is the same standard principle that experts and regulatory bodies follow. It can be summarized as;

  1. Identify the risks: What can go wrong?
  2. Analyze the risk: What is the probability of something going wrong? What will be the impact? How severe will the damage be?
  3. Estimate the risk priority number (RPN): determine the level of risk and decide if it is high or acceptable.
  4. Should the risk be too high, develop and implement control measures to manage or reduce the risk
  5. Analyze the remaining risks and determine if they are acceptable.
  6. Validate the risk mitigation
  7. Conduct effectiveness check on the 

Risk Full Traceability Matrix

Potential Areas for Quality Risk Management and Application

In the life science industry, below are some of the areas to consider when deciding to implement or apply QRM.

Integrated Quality Management: it includes the following area;

  1. Documentation
  2. Auditing/Inspection
  3. Change management
  4. Change Control
  5. Quality Defects
  6. Training and Education
  7. Periodic Review
  8. Quality Events
  9. Customer Compliant

Development: it covers the following;

  1. Critical Process Parameters (CPPs)
  2. Specification
  3. Verification and Validation
  4. Manufacturing Controls

Facilities, Equipment, and Utilities: it includes;

  1. Design of Facility and Equipment
  2. Hygiene
  3. Computer Systems and Computer Controlled Equipment
  4. Qualification of Facility/Equipment/Utilities
  5. Aspects of Facilities
  6. Calibration/Preventive Maintenance
  7. Cleaning of Equipment and Environmental Control


Materials Management: it includes;

  1. Use of Materials and Storage
  2. Assessment and Evaluation of Supplier
  3. Logistics and Distribution Conditions

Production: it covers the following;

  1. In-process /Sampling and Testing
  2. Validation
  3. Production Planning

Laboratory Control and Stability Studies: it includes the following area;

  1. Retest Periods and Validation
  2. Out of Specification Results

Packaging and Labelling: it includes;

  1. Selection of Container Closure Systems
  2. Package Design
  3. Label Control

Reference Links

Risk Management – orcanos FMEA Risk Management Tool
Generate Risk Management File Risk Management (ISO 14971) by Orcanos, based on FDA 2017 Recalls
Orcanos Risk Management – Add Traceability Matrix ALM Requirements Traceability Matrix Tools
10 Reasons why to use EQMS 21 CFR Part 820











November 23rd, 2019 Posted by Requirements Management Tool 0 thoughts on “RISK MANAGEMENT (01) – INTRODUCTION TO QUALITY RISK MANAGEMENT (QRM)”

Are you new to the ISO 14971:2012 & FMEA system or seeking to improve your processes?

As a QA representative or Functional Safety Manager, you will find in the following series of posts all the knowledge you need to get started implementing GDP for your Risk process.


FMEA Risk Management

RISK Summary Report


Quality Risk Management is the evaluation of product quality and risk to patient / passenger / doctor / nurse / operator health or anyone that may be exposed to safety issues when using the device based on data, scientific knowledge, and data. According to regulators, when using a lifecycle approach to implement either an informal or formal risk tool in line with ISO 14971 or ICH Q9 (Pharma) or the Automotive used of the FMEA. The Quality Management System (QMS) should incorporate Quality Risk Management (QRM) for the following purposes:

  • Acceptance of Residual Risks
  • Risk Assessment
  • Communication of Identified Risks
  • Risk Review
  • Risk Control

What will we be covering this series of posts discussing the QRM?

In this series of posts, we will be covering the following topics;

  1.     The concept of Quality Risk Management (QRM).
  2.     How to identify the source of risk.
  3.     Possible areas to apply QRM application.
  4.     Regulatory requirements.
  5.     Risk Management Tools.

People that will benefit from learning Quality Risk Management include people in the following departments:

  • Risk Management
  • Quality assurance
  • Engineering Service Providers
  • Commissioning
  • Product Development
  • Compliance
  • Project Engineers and Managers
  • Validation
  • Manufacturing Operations and
  • All Management related departments should be aware of QRM.


In this series of articles we will cover 3 module categories which include;

  1.     Introduction to Quality Risk Management (QRM)
  2.     Regulatory Requirement
  3.     Risk Management Tool


It is crucial to understand the terms that often appear when discussing Quality Risk Management, hence the need for a dictionary. Some popular terms are;

  • Corrective Action (CA): The action to take to correct a deviation.
  • Critical Control Point (CCP): A point in the process where you can apply a control measure to either remove or reduce to an acceptable level a (pharmaceutical) quality hazard
  • Failure: When an item fails to work as it should work.
  • Failure Mode: How the item failed.
  • Failure Mode and Effects Analysis (FMEA): It is a technique for determining fail modes and their effects. It addresses possible scenarios of what causes failure for low-level components and its impact on the system or application.
  • Failure Modes, Effects, and Criticality Analysis (FMECA): A way of adding an analysis of criticality of severity, detectability, and occurrence of FMEA.
  • Fault Tree Analysis (FTA):  A technique that analysts use to trace the source of failure in a high-level system.
  • Hazard Analysis and Critical Control Point (HACCP): A systemic approach for identifying, evaluating, and control of food safety hazards.
  • Harm: Physical damage to people, environment, and property.  
  • Hazard: A possible source of harm.
  • Hazard Analysis: A way of determining relevant information on the potential hazard to food and how to address it in the HACCP plan.
  • Preliminary Hazard Analysis (PHA): A way to identify hazards and design solutions for them.
  • PIC/S: It stands merely for Pharmaceutical Inspection Convention and Pharmaceutical Inspection Co-operation Scheme.
  • Probability of Detection: Estimating the chances of detecting a hazard before it causes harm to the patient.
  • Risk: It is the presence of potential harm as well as its severity.
  • Risk Acceptance: The choice or decision to accept risk.
  • Risk Analysis: The ability to use the information to identify hazards and estimate the risk
  • Risk Assessment: The process of gathering the information that justifies the actions to be taken to manage risk. The process will involve risk identification, analysis, and risk evaluation.
  • Risk Communication: The process of sharing information on risk that exist between stakeholders and decision-makers.
  • Risk Control: The process of reaching a decision that would allow for risk management with the system. In the process, there will decisions on how to identify the risk, measures to take, timeframe, and much more.
  • Risk Evaluation: A way to compare risk criteria to the risk estimate in order to reach a level of acceptance.
  • Risk Identification: A way of using the available information to identify potential hazards in a system or application.
  • Risk Level: A quantitative measure to evaluate the degree of risk in a system.
  • Risk Management: a systematic way of using policies, procedures, and practices to address the tasks of identifying, analyzing, evaluating, control, and monitoring of risk.
  • Risk Priority Number: The total measure of risk in a system. It is evaluated by multiplying severity with the rate of occurrence. The higher the number, the higher the risk in the system.
  • Risk Reduction: Actions that are taken to reduce both the probability and severity of risks.
  • Risk Review: A way of monitoring the outcomes of various risk management plans and strategies.
  • Risk Treatment: The process of selecting and implementing measures to change risk.
  • Risk Management Master Plan (RMMP): A framework that applies to all projects, and it can be used to draft a risk management plan.
  • Risk Management Project Plan (RMPP): This applies to individual projects and the plan specific to that project.
  • Severity: The measure of effects of a hazard

Now that we have covered the list of terms used by the QRM system, we can start to see how they are working together. We will identify events and actions around some of these terms and allow you to practice them in the ORCANOS QMS system.


Reference Links

Risk Management – orcanos FMEA Risk Management Tool
Generate Risk Management File Risk Management (ISO 14971) by Orcanos, based on FDA 2017 Recalls
Orcanos Risk Management – Add Traceability Matrix ALM Requirements Traceability Matrix Tools
10 Reasons why to use EQMS 21 CFR Part 820


Passing MDSAP with no paperwork

November 10th, 2019 Posted by Requirements Management Tool 0 thoughts on “Passing MDSAP with no paperwork”

MDSAPOrcanos has passed the MDSAP audit successfully with one of its leading medical device customer, led by Irit Bouwman.

Irith testified that this was a very successful audit, done purely online. “I was impressed of how powerful the tool is, it was as easy as clicking a button to get the information I needed, during the audit…..

“You are the first company I gave 0 grade since I have started giving audits on MDSAP…” said the auditor for STEP I

As Irith Bouwman, Director of QA with over 20 years of experience explained, the MDSAP audit is a very unique audit in a way that it takes both the standard of the ISO 13485:2016 together with the regulation of the regions the company is about to act and making sure that the SOP reflects those regulations in the SOP.

The lowest the grade is the better your audit. Grade Above 4 it is not recommended to go to stage II. If there is missing regulation in the SOP the grade start from 2, and more points are added during the audit finding.

In addition, during the audit, there is a new factor added to the audit grade is the RESPONSE TIME of the organization to request of the auditor. In that sense, it usually gives 10 min to retrieve a document from the quality system. During the audit, the retrieval time that it took our customer was less than 30sec. You may see the auditor put a stopper on the desk during the audit.

The reference to documents is also tested and the revision of the documents and the obsolete management of documents. Orcanos e-DMS system serves all those requirements electronically with almost zero human interaction and 0 errors.

Orcanos is proud to serve some of the leading medical device manufacturers, helping them to move their paper-based quality management system into an electronic template-based system, thus saving time and money  and reduces overall cost.

Get your MDSAP audit-ready today www.orcanos.com


November 6th, 2019 Posted by Requirements Management Tool 0 thoughts on “cGMP – DESIGN AND DEVELOPMENT TRANSFER (DMR) (11)”

The Device Master Record (DMR) is the ultimate document for ensuring efficient design transfer. It is not a mandatory requirement according to ISO 13485. The DMR is mostly theoretical as it is a compilation of documents required to complete the design process. The documents consist of all the documents above and the validation master plan.

DMROrcanos DMR system

In time, the document will need revising and subject to change. The DMR will help index each document as well as their note their current revision. To achieve a successful design transfer, you need the DMR. The transfer could be an internal transfer, manufacturing, or involving a customer manufacturing organization (CMO).

There are several ways to capture the design transfer process. They are;

  • A transfer checklist
  • A checklist that forms a part of the product’s lifecycle SOP.
  • An entirely new form.

The checklist comprises of activities to complete to aid a successful design transfer.  The list will include the following;

  • Facility preparedness
  • Product specification
  • Training activities
  • Test method
  • Component properties
  • SOPs and WIs
  • Success criteria

Also, the design transfer process comes with a design transfer plan with well-defined criteria. A report should be made available upon completion. The report will contain all the activities and proof a successful transfer.

ORCANOS in MEDICA during 18 – 21 November 2019 in Düsseldorf

October 19th, 2019 Posted by Requirements Management Tool 0 thoughts on “ORCANOS in MEDICA during 18 – 21 November 2019 in Düsseldorf”

Medica 2019

ORCANOS In Medica During 18 – 21 November 2019 In Düsseldorf

MEDICA is the world’s most significant event for the medical sector. For more than 40 years it has been firmly established on every expert’s calendar. There are many reasons why MEDICA is so unique, making it the largest medical trade fair in the world.

During the dates of 18 – 21 November 2019 ORCANOS will be present in the MEDICA event, ready to meet with you. Whether you are exhibiting or visiting we would like to meet with you. We can discuss the ORCANOS software solution for QMS and Product Development (ALM).

One System. Multiple Processes. Zero Faults. We are coming to give you a chance to see for your eyes, ask questions and listen to our customers presenting in the Medica show.

To arrange a meeting with us contact:

VP Sales & Marketing

Rami Azulay

email: rami.azulay@orcanos.com

mobile/whatapp +972-54-444-0255

or just fill the form for request for a meeting here:


— Await you in Düsseldorf. Visit our website: www.orcanos.com[

CAPA Chapter V: Reviewing The CAPA System and Actions

October 19th, 2019 Posted by Requirements Management Tool 0 thoughts on “CAPA Chapter V: Reviewing The CAPA System and Actions”


The FDA and the ISO13485 both demand that the management reviews the status of all PAs and CAs. People tend to ignore the importance of review, and that can be costly for the management. It is up to the management to take responsibility for the CAPA review process.

Reviews should not be restricted to the management alone since it can be done at several stages of the CAPA process. For instance, a weekly review will help the management get a better understanding of the CAPA status. Needless to say, it is crucial that there is a review to ensure success. Orcanos system allows the organization to proactively send alerts regarding the review process and keep the management up to date in real-time.Management Review

Inputs for Management Review

There is a significant difference between data for management and data for day-to-day management. Below are some of the duties of a manager when reviewing the status of CAPA. They are;

  • It is the duty of the management team to provide sufficient resources.CAPA Resource Allocation Review
  • Ensure that all actions are following the set plan. That way support is made available for CAPA activities.
  • To produce a form that allows for the closure of CAPAs. Ensure that actions are complete and there is data to support it.CAPA eForm

Orcanos CAPA eForm


Actions that Yield Effectiveness

Closure can sometimes be mistaken for completion. However, completion means that the actions taken were effective. One of the few ways to fall into a non-compliance trap is to set a fixed date of CAPA action completion. Obviously, fixed deadlines are a bad idea, especially for actions that will require auditing reviews. Not with the Orcanos CAPA system. It allows you to separate between the CAPA completion to the PA/CA completion.

Perhaps, there could be an assumption that one audit is sufficient, but that may simply be one consideration point. There could be multiple measure points that will need for multiple reviews. Well, multiple data points tend to yield better results. An example is dealing with registration audits that often require at least 2 audits that span roughly two years.

Another reason to have multiple action points is that you get to see the result of actions outside that of CAPA. Deadlines for completion are within control when there is a good relationship between the assigners and assignees. Unless your system can proactively prompt the assignee with messages on its upcoming commitment for completion, exactly what the CAPA system will generate automatically.

It is important to distinguish between the closure of CAPAs and the closure of actions. Always leave room to be flexible, that way you can see the completion of action within a reasonable schedule. Remember that the completion of actions is a way to determine effectiveness.


CAPA Chapter IV: Actions To Take To Address CAPA Problems

October 11th, 2019 Posted by Requirements Management Tool 0 thoughts on “CAPA Chapter IV: Actions To Take To Address CAPA Problems”

CAPAIf you discover a non-conformity in your CAPA system is systemic. It means that the non-conformity is realized and it will keep recurring. Then it is time to take action to both correct it and prevent it from recurring.

Hence, it is suggestive that for every CA there is a PA component. It follows the logic of definitions for Corrections, Preventive Actions and Corrective Actions.

For all actions, it is crucial to define, analyze for effectiveness, implement and document them.  

Actions (Going beyond what to do)

To get a full picture of how actions affect the CAPA process, then follow the steps below.

  • Documentation: Always document every action and if need be, refer to the documentation requirement guide.
  • Define Completion Criteria: You have to find a way to determine if an action was successful. If not, it would be impossible to know if an action was completed. 

    For instance, how will you know if an action to improve product feature or process is complete? Or perhaps your action was meant to reduce a shipping error. There should always be a way to measure your actions.

  • Verification: Using the shipping error example, how would you verify the completion of a sipping process? One way will be to contact the customer and ask if they got their item. Their answers will help verify the shipping process.
  • Effectiveness: It is not uncommon that they may be some error. In the shipping example, a way to determine effectiveness is to ask how often customers get their order correctly. The answer will provide insight into the effectiveness of your process. However, while some processes can allow for error, processes that involve risking lives have to be 100% effective.

Good Practice to Follow

We will outline a standard practice to follow for action items. They are;

  1. Always make someone responsible for the entire process. There is a chance of victim-blaming if the process becomes a group responsibility. While teamwork is essential, make sure someone heads the group.
  2. Set realistic deadlines. A deadline that is too optimistic can lead to failure. Therefore, work with the owner and ensure to pick a deadline that will allow you to complete the process.
  3. Always partner with the owner and an expert that might be needed to complete a particular step in the process.
  4. Have frequent meetings to ensure that everything is working according to the plan and on schedule. The frequency of meetings should align with the risk that comes with the process. Risky processes demand more status updates. Meetings will help you measure progress.

The Tipping Point for Actions

While Root Cause Analysis might be the most prominent issue when it comes to the CAPA system. Actions also lead to a significant amount of issues in the CAPA system. In our earlier blogs, there are hints to how actions can constitute a problem.

Sometimes when actions are set and the sequence doesn’t reach completion, it will create problems in the CAPA process. The situation is common in instances where the project demands outweigh the CAPA problems.

Furthermore, manager ignoring CAPA has a priority make taking action problematic. Although, frequent meetings can help bring the problem to light if the manager bothers to host them.

Another way for problems to arise is when there are no completion criteria despite defining the problem. The person in charge of taking action has to understand the importance of completion criteria to prevent delay. Alternatively, if the scope of the action isn’t well defined, then the same problem will arise.

Project owners can be anxious and push for quicker deadlines, it is up to the assigners to convince owners on unclear or unreasonable deadlines. Likewise, it is important that all parties are in agreement on all data collection and various deadline.

CAPA Chapter III – Root Cause Analysis of the CAPA System

October 1st, 2019 Posted by Requirements Management Tool 0 thoughts on “CAPA Chapter III – Root Cause Analysis of the CAPA System”


Root Cause Analysis (RCA) is the heart and soul of the CAPA system. Without defining the root causes or cause of a problem, it would be nearly impossible to prevent from recurring. According to Wikipedia, root causes are the result of a causer chain where a sequence of events leads to problems. 

Also, there is a possibility that someone is responsible for introducing the error. Furthermore, there is the puzzle of why the error was not detected.

Root Cause Analysis

One of the easiest ways to carry out a root cause analysis is to reiterate that the problem is the root cause. Although, this is a terrible approach and will often not lead to the discovery of the root cause. For example, it is easy to simply blame documentation for a process gap. 

Likewise, one could easily blame specification for an error in an equipment part, while there is a possibility that other parts could have problems too. The truth is that there is never just one root cause, there are several.

Hence, the process of discovering the root cause or cause is both a science and an art. A lot of creative thinking goes into the process of identifying all likely possibilities for a root cause. Data plays a vital role in ensuring that you reach the right conclusions. When conducting RCA, it is a great idea to consider various perspectives.

The hardware team mostly believes that all problems stem from software and the software team thinks that the problem stems from hardware. Similarly, R&D and manufacturing trade blame. As a result, it is important that the management team take control of the situation and stick to the facts when investigating problems.

It is worth mentioning that one could argue that all problems are management problems. A good management team will avoid blame shaming and remove emotions from their decision making. By sticking to the facts, the management team will be able to get to the root cause.

The Toolbox for Root Cause Analysis

There are several toolboxes available to help determine root cause and there are several factors that would help decide on what toolbox is right for a specific problem. For example, a fault tree analysis will suit a technical problem issue, while a 5 why approach will work for a quality system problem.

A tool is only as useful as the person using it. A great tool can be misused in the wrong hands and vice versa. Therefore, when it comes to resolving issues in the CAPA system, it is best to go for skilled and experienced personnel rather than a recent hire. 

A quick search for an example of root cause analysis will often return the Jefferson Memorial Example. The park service investigates the root cause of why the memorial building was deteriorating.

The Jefferson Memorial Example

Similar to the time when Jefferson and his trumps had to defend American from British invasion, the park service is defending the building from destructive invaders. Apparently, the stones in the building were falling due to frequent washing.

The frequent washing was the result of excess bird dropping, and excess birds were attracted to the spider food source in the building. The spiders came to feed on the thousands of tiny insects in the vicinity. The tiny insects were drawn to the evening spotlight at the monument that coincides with the time the insect goes into a mating frenzy. 

As a solution, the parking service opted to delay the time of that they switch on the light to one hour after sunset. The result is the reduction in the number of insects by 90%, which in turns breaks the food chain that results in the frequent washing of the building.

The example above is a great example of ensuring that you have all the information relating to the problem before taking any action. In so doing, you will get to the root cause of a problem and then solve it.

The 5 Why Analysis Example for Root Cause Analysis

The “5 Why” model can be used to explain the building’s deterioration. Without further asking why the park service could have spotted at reducing the amount of washing after discovering that the washing is the cause of the deterioration. However, by reducing just the amount of washing, the memorial building will remain unsanitary due to the bird’s poo. 

The investigation going by asking why could have stopped at bird poo without further questions. But by continually asking why, the parking service was able to discover that the root cause was the light. By discovering the root cause, they were able to implement effective corrective action at a much lower cost.

The Result

After arriving at the root cause, it becomes obvious that implementing a solution at this point will yield the best result. For instance, by delaying the switching on of the light by one hour, what will be the result? There would be fewer insects, then less food, then fewer birds, and reduced washing. The example shows the chain effect of both the problem and the effect of the solution.

While the example above seems a bit straightforward, that is not always going to be the case. The “5 Why” analysis will require the skill and experience of a veteran in the CAPA system to help plot the path to the right conclusions. Having an electronic system such as Orcanos that includes the e-CAPA system is exactly that way to pass knowledge on to the next generation of people as well to collaborate the information across departments.

The Major Tripping Point of the CAPA system.

The RCA is often the point that problems in the CAPA system begin. It is easy to think that the problem is the cause or to assign blame to someone. While a person might be the reason for causing a problem, unless there is a maliciously intent, then you need to find the root cause. The practice of going for the easy solution or blame shaming isn’t acceptable.

In the Jefferson example, it is easy to find several points where the investigation could end before reaching the root cause. Also, always document the Root Cause Analysis process, else one can assume that there was never a problem. It is important to document your RCA process as it would help reviewers and auditors understand the steps that led to your conclusions.


Never reaching the root cause of a problem is the same as plugging a hole in a dam, when there are several linking points. Blaming people especially when there is no proof of malicious intent is frowned upon. Likewise, simply relying on tools to solve the problem is not enough. Tools just make the process of finding a solution easier, as the tool will require the skill and experience of a veteran to be effective.

Accept all inputs and opinions as it would enable you to gather all the facts and discover the root cause without bias. Lastly, don’t just settle on one cause keep investigating until you discover all root causes.

CAPA Chapter II – Driving Source

September 21st, 2019 Posted by e-GMP, ISO 13485, Recall 0 thoughts on “CAPA Chapter II – Driving Source”

Often times, we suspect products and process as the main sources for CAPA. However, there are several other areas that we can consider as CAPA sources. They include;

  • Customer Complaints: It represents a majorly of all product-related sources for CAPA.  In the event that the customer complaints are repetitive, then there is a chance that the root cause can keep recurring. Also, complaints about the system are an indication that there is a problem with the training or instruction.
  • Yield Rates: Yields rates are most likely the main cause of CAPA rising in the manufacturing industry. Systemic issues become unavoidable when there are frequent expulsions in the process limit.
  • External and Internal Audits: Audits are the biggest identifiers that there should be a process PA or CA in the system.
  • Employee Feedback: The feedback from employees could help prevent process issues as well as enhance product development in the future.  Employee feedback is one of the direct sources a company can use to implement CAPA.
  • Vigilance: Another great resource for CAPA is to remain abreast of competitors in the same field. You can study your competitor’s product to try and implement steps to prevent certain likely problems that may arise in your product. For example, you learned that pumps develop a free flow problem by studying your competitor’s pumps. You can hereby take steps to eliminate the problem in your own pumps. We at Orcanos conduct daily research on every recall that is reported by the FDA site and conducts a technical analysis to allow the share of such events with our customers.

Managing Risks

Subconsciously most people find themselves managing risk by prioritizing their daily tasks and giving more effort to tasks they consider more important. Similarly, CAPA requires the same approach.  The actions to be taken should be prioritized based on risks. The reasons to apply such a strategy are;

  1.  To prevent the company from wasting resources on trivial problems.
  2.  To continue to create an opportunity to respond to public safety concerns.
  3.  The risk will help determine the approach of the investigation. For instance, you could take a scientific approach like the FMEA or FTA when dealing with patients safety. Meanwhile, a five-why approach can be used to address process issues.
  4. Always document your risk-based decisions.

The Process

In taking a closer look into the CAPA process, we will be expanding on the key requirements. They include;

  • Analysis
  • Investigation
  • Determining action
  • Implementing action
  • Determining the Effectiveness

First Thing to Consider: Understand

The step in the CAPA process is understanding. Without understanding the issue, it will be impossible to find the root causes or determine appropriate action. In the event that you do implement appropriate actions, there is a chance that actions and the changes would not be as comprehensive as they ought to be.

However, there are steps to take in order to understand the problem. The steps include;

  1. Defining the problem as well as writing it down. In so doing, you can better grasp the starting point of the issue.
  2. Try to identify the cause of the problem. A simple tool to use is the Fishbone Diagram.
  3. Using the Fishbone Diagram you have to determine if people, machinery, environment, process, material, and management are contributing to the problem. While you might not be solving the problem at this stage, you will be gaining a better understanding.
  4. The scope of the problem is the next step in the process.  For instance, perhaps you are using a piece of particular equipment to manufacture several parts. Unfortunately, there seems to be a fault with just one part.

Regardless of the fact that the other parts created using the same equipment have no faults, you should consider the possibility that the equipment could be contributing. Likewise, there could be a documentation problem. The ability to analyze scope ensures that you identify all the root causes.

In the event that a problem escapes detection, then it is important that there be an investigation as to why it wasn’t detected.  Perhaps there were no early-stage checks or the current checks are ineffective. 

The importance of early-stage checks is vital in the software industry where late-stage errors can prove to be costly. For example, an error that is not fixed in design stage can be 3 times or more expensive to fix at the verification stage of the process. Therefore, best to think of the early stages where the problems could be fixed and document them.


When you discover a non-conformity in a product, then it is time to exercise damage control. The damage control is not to divert the financial burden, but to ensure that the product does not cause harm to patients. If the product is already in the market then issuing a call-back and inform the customers to prevent more damage is the best course of action. 

However, if the product is still in the inventory, then the containment action will be to quarantine the inventory until the problem is solved. Containment actions should always match the risk as the damage control for issues that will affect customer’s health will differ from actions that have to deal will function or form.

Scope Analysis

Below is the summary of the thought that should go into scope analysis.

  1.  If a product is affected by equipment, then what other products are affected by the same equipment?
  2.  How thorough is your quality control system if a process is missing a particular document?
  3.  Are there audit gaps or any other gaps?
  4.  Are all of your software system validated? Is your validation process complete?
  5.  Do components affect the quality of your system and what role does your supplier play?

In conclusion, if you do not fully comprehend the extent of a problem in the CAPA system, then there is bound to be some missteps along the way.

Page 3 of 21
1 2 3 4 5 21


8 Tozeret Ha'aretz Street
Tel Aviv, Israel

Copyright © Orcanos, All rights reserved. | Privacy policy | Terms of use