The Impact of Risk Management on CAPA

Your CAPA process should be entirely risk based, from the moment a request is made until you have verified the effectiveness of the actions taken.


if you’re in the business of developing medical devices, then risk and risk management become synonymous with daily operations. your overall task is to bring a medical device to market that not only provides a needed function to a patient but is also proven to be safe and effective to use. a product that may be used by someone who is near and dear to you, too.

risk management is a process that is very much here to stay in the medical device industry. on the product side of risk, iso 14971 continues to be the cornerstone of identifying, assessing, evaluating, and controlling risks as a means to ensure medical devices are as safe and effective as possible.

fda also works to ensure stronger risk management by requiring manufacturers of medical devices to have clearly documented procedures for corrective action and preventive action (capa). so how does capa play a role in product risk management?

many capas will impact medical device products in some way, shape, or form. whether addressing a design issue, how the device is used, dealing with specifications, or manufacturing processes, capa actions need to consider and address risk management.

and it’s not enough to just check a box on a capa form. addressing risk requires reviewing documented product risk management to determine if the issues within the capa are defined accurately. if not, then update your risk management accordingly.

from a product side of risk management, this interaction with capa is so important. iso 14971 establishes risk management as a total product life cycle process. however, many do not truly keep their risk management files up to date and current.

another risk concept that was formally introduced to the medical device industry with the publication of iso 13485:2016 is “risk-based qms.” what does this mean and how does this relate to capa?

yes, it’s true that iso 13485:2016 does make reference to iso 14971. and from the product side of things, that makes complete sense. the references also infer that a risk management process and framework is well-defined and well-established by iso 14971 and that this framework is also applicable to your qms.

capa is largely regarded as one of the most important quality system elements. from my perspective, the concept of a risk-based capa process becomes foundational to the health and success of your medical device company. there are a lot of factors to consider with respect to applying risk concepts to capa.

risk-based decision making is almost approaching cliche status these days. however, your capa process should incorporate the concept of risk-based decision making from the moment you learn of a quality event (such as a complaint or nonconformance).

does the quality event require a formal capa investigation? this is an example of risk-based decision making. once a capa request is submitted, then the decision whether or not to proceed with a capa should also be a risk-based decision.

after a request is accepted as a formal capa, then identifying the priority and urgency are also important and also should be risk-based decisions.

ensuring all products, processes, and sources are identified within a capa are key risk elements. in other words, when you issue a capa, don’t be too myopic; consider if the issue to be addressed is also prevalent with other products and processes. be holistic. taking this approach could actually reduce the volume of capas and be a way for you to shift to being proactive, rather than reactive.

drilling down and identifying root cause is also a risk-based approach. if you do a poor job with root cause, then the issue has a likelihood of happening again.

once root cause is determined, then the actions you take are key to controlling, reducing, and mitigating risks. the actions you take, however, are directly related to the identified root cause.

upon completion of actions, you will need to verify the effectiveness of those actions. this verification step is very crucial because this should be when you determine and confirm, with objective evidence, that the capa has been addressed successfully.

to say it another way, your entire capa process should be entirely risk based, from the moment a request is made until you have verified the effectiveness of the actions taken. updating your process like this will undoubtedly boost the success of your medical device, and consequently the future of your business.


Jon Speer

jon speer is the founder and vice president of qa/ra at, a software company that produces the only modern quality management software solution exclusively for medical device companies. device makers in more than 250 cities in 26 countries use to get safer products to market faster with less risk while ensuring compliance.

speer is a medical device industry veteran with over 19 years experience having helped dozens of devices get to market over his career in a variety of roles including product development, project management, quality and regulatory. he is also a thought leader, speaker, and regular contributor to numerous leading industry publications.

500 characters remaining