Nonconformance Versus CAPA Requests

CAPA process, CAPA requests

Question:

I need advice on the use of Nonconformance versus Corrective Action/Preventive Action (CAPA) Requests. I understand and have tried to communicate the low risk and high risk definitions to staff with some understanding. In reporting nonconformance’s some evolve into a root cause analysis which is a positive direction but thought to be a requirement of a Corrective/ Preventative Action. Nonconformance’s are logged on a report and reviewed periodically. CAPA Requests are more elaborate; logged and reported on a metrics with continuous review.

Response:

My answer may seem lengthy but I feel defining things is important. First, here is part of a memo I put together for one company.

ISO terminology and definitions – Corrective action/Preventive action

Some people experience confusion over the differences between corrective and preventive action.

We know that corrective actions are taken to remove the causes of existing nonconformities.

If the nonconformity is detected during production, immediate corrective action is taken to eliminate the problem. In other words, we fix what went wrong. We take preventive action to ensure the same problem does not happen again. However, this is still corrective action because it is based on solving a problem that has already happened.

We might use documents or electronic forms to report/record such actions. Here, caution is advised. For example, if a machinist turns a part undersize, immediate corrective action is taken to fix the mistake and further action is taken so it doesn’t reoccur on subsequent parts. If the original “bad” part was scrap and we record that as a non-conformance in our documentation, with the corrective action noted, we might then close that record. We might then request a follow up with preventive action. That would be a mistake.

Note: Not every problem or non-conformance requires a corrective action. This is determined on a case by case basis, usually by a manager. Each case is different.

Example: A welder accidentally causes weld spatter to fly into a tapped hole. The welder cleans out the B-B’s, re-taps the hole and moves on. Generating a non-conformance form should not be necessary in this case as no product was scrapped or made nonconforming.

Now, let’s say an employee sees a potential problem.

Example: The employee notices the jaws of a turning center are showing very obvious/significant run-out.

This could potentially result in nonconforming product. This is a good case for preventive action. A change request could be generated and when the action is taken, it can be followed up on (verified) and recorded in the appropriate format. In most cases, over an entire year a company will record very few Preventive Action Requests (PAR’s). However, that same organization will register numerous Corrective Action Requests (CAR’s). This is the normal rhythm of things and is what we strive for.

Here are a few definitions for your files. The following Terms and Definitions are taken from ISO 9000:2005:

3.6.4
Preventive action: Action to eliminate the cause of potential nonconformity or other undesirable potential situation.

NOTE 1 There can be more than one cause for a potential nonconformity.
NOTE 2 Preventive action is taken to prevent occurrence whereas corrective action (3.6.5) is taken to prevent recurrence.

3.6.5
Corrective action: Action to eliminate the cause of a detected nonconformity or other undesirable situation.

NOTE 1 There can be more than one cause for a nonconformity.
NOTE 2 Corrective action is taken to prevent recurrence whereas preventive action (3.6.4) is taken to prevent occurrence.
NOTE 3 There is a distinction between correction (3.6.6) and corrective action.

3.6.6
Correction: Action to eliminate a detected nonconformity.

NOTE 1 A correction can be made in conjunction with a corrective action (3.6.5).
NOTE 2 A correction can be, for example, rework.

I hope this has been helpful.

Bud Salsbury
ASQ Senior Member, CQT, CQI

Additional ASQ Resources:

Form by Design
Using flowcharting techniques for robust form design
by Lance B. Coleman

Corrective Action Challenge
How to construct a robust problem-solving process
by R. Dan Reid

CAPA for the FDA-Regulated Industry (book)
Abstract: Medical devices, biopharmaceutical, and traditional drug manufacturing companies devote an important part of their resources to dealing with incidents, investigations, and corrective and preventive actions. The corrective and preventive action system is known as the CAPA system. It is second to none in terms of frequency and criticality of its deviations, and most of the regulatory actions taken by the FDA and foreign regulators are linked to inadequate CAPA systems. This guidance book provides useful and up-to-date information about this critical topic to thousands of engineers, scientists, and manufacturing and quality personnel across the life sciences industries.

Understanding and improving the CAPA system as a whole is the focal point of this book, the first of its kind dealing exclusively with this critical system within this highly regulated industry. By helping those in this industry improve their CAPA systems, it will be a crucial aid in their mission of producing safe and effective products.

Employee Qualification Audit

 

Reviewing confidential files, training records, human resources files

Question

I am a Quality Assurance GxP Auditor and I am being told that I cannot perform employee qualification audit.  I am being told that CV/resumes, job descriptions, and training records are confidential and my viewing them would violate an employee’s privacy.  If this is true, how to I prove to my client that the company has qualified personnel?

On the same note, is this also true of an internal or 1st party employee qualification audit where my own company would want me to verify the qualifications of our employees to ensure they meet international FDA/ICH guidelines?

Response

Thanks for contacting ASQ’s Ask the Experts program.

With regard to your question, maintaining confidentiality can be a major concern for the employee, organization and the Auditor.  For this reason, the review of employee files containing private data such as social security numbers, banking, personal contact or other sensitive information should be avoided if possible.

This not only maintains employee privacy, but also reduces the Auditor’s level of exposure to potential liabilities.

So now the question is; how can the Auditor verify employee qualifications and experience? Remember that there is no requirement for an Auditor to review job applications, CV/resumes, or other confidential information.

It’s the organization’s responsibility provide the Auditor with objective evidence that they have established job descriptions for employees performing work activities that affect the quality of the product or services to be provided to the customer (ISO 9001:2008, clause 6.2.1).  This includes providing evidence that the employee’s qualifications, skills, education and any applicable certifications have been verified to meet job description requirements or the need for training has been established to ensure job description requirements are met (ISO 9001:2008, clause 6.2.2, sub., a. b and c).

As you are aware, a job description may be considered as proprietary, but they are seldom considered as private since they don’t contain any personal information.  Some organization’s may require that a nondisclosure agreement (NDA) be signed to protect propriety information such as engineering data, drawings or other methods related to product realization processes.

A record of an organization’s review and verification of employee qualifications should be readily available.  Likewise, training and applicable certification records should be available to provide objective evidence that qualification and/or competency requirements have been met (ISO 9001:2008, clause 6.2.2, sub., e).

Bill Aston
ASQ Senior Member
Managing Director of Aston Technical Consulting Services
Kingwood, TX
www.astontechconsult.com