9 Steps to Creating a CAPA Audit Checklist

January 13, 2023

As you conduct internal audits, you may uncover items to address. If these issues are systemic in nature, then these issues are likely candidates for a more thorough corrective and preventive actions (CAPA) investigation. But what happens next?

While both your internal auditing and CAPA systems are technically independent of each other, managing the way they interact and feed into each other is a hallmark of a healthy quality management system (QMS).

To help give you an overview, we’ve put together a CAPA/Audit checklist that will explain how to translate audit findings into a CAPA investigation.

FREE RESOURCE: How to use the "5 Whys" technique for Root Cause Analysis? Get our quick rundown here.

1. Develop a robust internal auditing process that produces CAPA-worthy findings

Internal audits are a common source of potential quality issues worthy of a CAPA investigation. However, before you can be confident relying on them, it’s a good idea to ensure your internal auditing procedures are robust and working properly.

Internal audits are intended to be a system of checks and balances to ensure:

Procedures are compliant with regulatory requirements
Procedures are being followed correctly by employees
Identification of issues and opportunities for improvement
Overall health of your QMS

One foundational step towards a robust internal auditing is establishing well-documented internal auditing procedures. Your procedures help to ensure consistency and attention to all key areas which need to be audited, so nailing these documents is crucial to your success.

Your internal audit program should also be on a regimented schedule, the frequency of which is ultimately up to you. One approach is to organize and group your processes according to similarities.

For example, it may make sense to group design controls and risk management processes because of how these processes interact.

Another method to scheduling is to group management responsibility and analysis of data, and then break these groups up, schedule wise, across the entire year. I like the approach of having internal audits happening throughout the year, or ideally every quarter.

Scheduling quarterly internal audits is helpful because:

You avoid the end-of-year rush
You always have internal auditing processes active
You can uncover issues that need to be addressed as part of CAPA investigations

TIP: Have an objective person, one who is not responsible for the actual work, conduct the audit. This might even involve an external consultant. Auditors should not audit their own work and should be appropriately trained for auditing. Additionally, include management review as part of the audit process.

2. Define your requirements for CAPA

Another foundational step is to ensure you have adequately defined your CAPA process. The various items that fall under CAPA should be integral parts of the procedures for your company.

These procedures are expected to be in place with a formal quality management system and the FDA inspectors and ISO auditors will look for these. In fact, I guarantee that every FDA inspection and ISO audit will assess and review your entire CAPA system.

What is the relationship between internal audits and CAPA? Internal audits are a key source of CAPA investigations. It is expected that you use CAPA to address major, systemic issues—including those found during your internal auditing activities.

TIP: You are not required to show a FDA inspector the actual internal audit reports. You do need to demonstrate that you are conducting internal audits, however. This is why that internal audit schedule is important as well as demonstrating that there are CAPAs that result from internal audits. Note that an ISO auditor can (and will) review actual internal audit reports.

3. Have a step-by-step system to track CAPAs

All critical CAPA activities that result from investigations should be tracked in a centralized system, easily accessible to those who need it. This also acts as your “proof” for inspectors/auditors that yes, you do take appropriate CAPA measures when needed.

One of the critical issues we often see is that medical device companies overuse CAPA. Companies might assume that virtually everything needs to fall under CAPA, when in fact there are plenty of things that can be handled with your change management system and wouldn’t be considered part of CAPA. Companies overburden themselves with CAPA and find that they miss the real issues.

On the opposite side of that are those who underuse CAPA, perhaps missing key areas for “preventive action.” Dealing only with known quality problems, or "corrective actions," is very reactionary. You should also consider proactive approaches you can take by using insights and data to identify potential issues before they happen. This is the essence of the “preventive action” side of CAPA.

The bottom line is that you need a clear definition of what types of issues will fall under CAPA, based on the seven areas outlined in FDA 21 CFR 820.100 or ISO 13485:2016.

4. Identify the quality issue cause and the scope of potential problems

So, now we’re at the stage where something has turned up in your internal audit and it falls within the realms of CAPA. The first thing you need is a very clear definition of what the problem actually is.

We often use “should be” and “is” statements for this. For example, “The part should be made of steel. The part is made of aluminum.”

As for determining the scope of your CAPA investigation, you might ask questions like:

How great is the problem?
Were all parts made of a particular material or only the last batch received?
Does the problem only seem to happen on certain days?
Has any product with the fault been released to the market?

You should ensure that the depth and intensity of investigations match the severity of the problem.

5. Correct the problem with containment actions

Once a problem has been identified, the next thing to do is contain it so that you prevent it from escalating or recurring while analyzing the root cause.

For example, you might need to quarantine lots of faulty parts from the warehouse, contact the manufacturer of the parts, or even halt production. You may also need to put checks in place to ensure that, should the problem recur, it is caught before it becomes an issue again.

6. Identify the root cause of the problem

Whenever we face a problem with a medical device or within the development process of one, we look to the root cause analysis to determine, well, the root cause! The idea is that you need to know what underlying issue/s lead to the problem so that you can fix or mitigate them.

An article for MDDI talks about root cause analysis in CAPA with reference to the book Apollo Root Cause Analysis:

...there are always at least two causes of any problem. There is always a preexisting condition and an action (or catalyst) that when combined result in a problem. Therefore, employees should always look for at least two causes of any problem. Causes often extend beyond the area or function where they are detected, so for major problems, assemble a cross-functional team to perform the root-cause analysis.

There are a few different methodologies for performing root cause analysis, so be sure to explore which one is right for you.

7. Plan and implement a risk-based CAPA process and action plan

Once the root cause has been identified, you need to plan for the corrective or preventive action that needs to be taken to deal with the issue. You must figure out what steps need to be taken and what resources you need.

Also, consider if you require approval for extra funds.

Remember, all of this must be documented and readily retrievable should it be required. Once you’ve got your plan, the next part is implementing it - following through to take the necessary steps to resolve the issue.

8. Follow up on CAPA effectiveness

This is a requirement as laid out in FDA 21 CFR 820.100, “(4) Verifying or validating the corrective and preventive action to ensure that such action is effective and does not adversely affect the finished device.”

You need to have a clear, documented method of follow up and testing to ensure that your CAPA actions are effective, as well as that the methods and procedures for CAPA are being followed.

This may mean that you need to wait a period of time to ensure that the problem doesn’t recur. Don’t be tempted to close out your investigation too early; timeliness is less of a factor to auditors than being able to prove that you really did solve the problem successfully.

FREE RESOURCE: How to use the "5 Whys" technique for Root Cause Analysis? Get our quick rundown here.

9. Choose the right QMS software to make your CAPA audit checklist complete

Your internal auditing process should be treated as a vital exercise to ensure that your company stays on the right track. Rather than a checkbox item, treat it as a valued input from which your company can use for continuous improvement.

While a healthy CAPA process is key to a healthy quality management system, it is equally important to understand how all QMS processes connect with CAPA, including internal quality audits.

Ensure end-to-end traceability and auditability throughout the Greenlight Guru QMS platform since you can easily see what was changed, why it was changed, when it changed, who changed it, and what was impacted as a result of a CAPA.

If you’re ready to streamline your audit and CAPA management system, contact us today for your free, personalized demo of Greenlight Guru →

Etienne Nichols

Etienne Nichols is the Head of Industry Insights & Education at Greenlight Guru. As a Mechanical Engineer and Medical Device Guru, he specializes in simplifying complex ideas, teaching system integration, and connecting industry leaders. While hosting the Global Medical Device Podcast, Etienne has led over 200...