QA/RA Consulting, Auditing & Training


Let's get started

PLAN. RISK. CAPA. The Most Important Four-Letter Words in Any Medical Device QMS

Quality systems in the world today have progressed to the point of providing a strong business infrastructure with a focus on quality and regulatory requirements. As such, there are three very important words integrated within the overall structure of the quality management system (QMS): PLAN, RISK and CAPA.

As your organization strives to achieve compliance in this regulated world, building a strong infrastructure on these three concepts will not only simplify your processes, it will establish a more sustainable business model. Let’s look more closely at how these work.


Planning Is the Foundation for All Subsequent Activities

ISO 9001:2015 clause 6.3 states: “When the organization determines the need for changes to the quality management system the changes shall be carried out in a planned manner.”

ISO 13485:2016 clause 5.4.2 states: “Top management shall ensure that the planning of the quality management system is carried out to meet the requirements given in 4.1 as well as the quality objectives.”

Planning is integrated into all activities within the quality management system. Whenever you take action to implement or change something within the QMS, you must have a plan for how to complete the activity. Before we get stressed out about extra work, let’s think about it for a moment. You are already doing planning in all areas of the QMS, you just need to take credit for it. Here are some examples of quality planning already in place in the system:

  • Internal audit planning
  • Supplier audit planning
  • New employee hiring
  • Training plans
  • Production plans
  • CAPA plans
  • Inventory plans
  • New facility start-up plans
  • Maintenance and calibration plans
  • Change control plans
  • Design development plans

As you can see, quality planning is happening all the time. The change in focus for auditors is to ask for evidence of the plans. For example, ISO 9001:2015 clause 6.2.2 states:

When planning how to achieve its quality objectives the organization shall document

a. What will be done

b. What resources will be required

c. Who will be responsible

d. When will it be completed

e. How will the results be evaluated.

You should be prepared to describe or provide evidence of a plan any time you indicate you are going to do something in the future.


Risk Goes Hand in Hand With Planning

Once you have an identified plan to take action, the next step is to determine what risks are associated with the planned activities.

ISO 9001:2015 clause 6.1 states: “When planning for the quality management system, the organization shall consider the issues referred to in 4.1 (internal and external) and the requirements referred to in 4.2 (Understanding needs and expectations of interested parties) and determine risks and opportunities to be addressed.”

ISO 13485:2016 clause 4.1.2 states: “the organization shall apply a risk-based approach to the control of appropriate processes needed for the quality management system.” This implies the same requirement as identified in ISO 9001:2015.

Risk-based thinking is a very important process within the QMS. Earlier we discussed the importance of planning. One very important element in all of the planning activities is the allocation of resources. Identifying adequate resources to ensure plans and activities are completed in a timely manner often introduces a high level of risk to the QMS. The organization must make decisions on what activities are most important or critical and which activities can be placed on hold. In most cases if you try to have resources to accomplish every activity at the same time, you might have to hire an army of staff. Risk-based thinking sets a stage for prioritization of activities. Assign the resources as appropriate based on the priority of the activity. If priorities change based on critical business needs, resources can be moved without losing sight of everything that needs to be completed.

A best practice is to generate a project prioritization log. List all of the plans, CAPAs, meeting action items, calibration maintenance activities, etc., on the log. Identify the owner, and priority used on business needs. Allocate resources as appropriate. As one project completes, the resources are moved to the next project. Establishing a process such as this provides evidence to the auditor that you are managing the system based on risk.


The Importance of Risk Management in the QMS

The other risk that must be addressed within the QMS is risk management. ISO 13485:2016 clause 7.1 states: “The organization shall document one or more processes for risk management in product realization.”

Risk management as defined within ISO 13485:2016 focuses on product safety and effectiveness. It is very different from the risk-based thinking. Essentially, there is an expectation that every time you “plan” to do something you evaluate the risk associated with that plan. You must establish a process within the QMS to evaluate the product design and process for potential risks that could lead to potential harms. ISO 14971:2019 is identified as the state-of-the-art standard for managing risk.

ISO 14971:2019 defines harm as “injury or damage to health of people, or damage to property or environment.” You might ask why it is important to consider property and environment when evaluating risk. Medical products and devices can generate emissions and / or waste that can damage the property and / or environment. As such, these emissions can generate potential harms for people and populations.

When the concept of risk was introduced in GMP, it was basically a “one and done” type of process. Over the years the importance of risk management as an iterative process throughout the device life cycle has become a requirement and focus for all medical device organizations. Understanding the potential hazards, hazardous situations, and harms sets the foundation for safer and more effective medical products.

So what does risk management have to do with planning? As previously stated, any changes within the QMS must be handled with a “plan” and that plan must be evaluated for impact on “risk”. To do this you would evaluate impact on the product or process risks as documented within the risk management file. Determine if the changes add any new risk or have an impact on the control measure that was implemented. This should be evaluated prior to the actual implementation of the change.


Robust CAPA = Robust QMS

How do we build this into the overall QMS so it becomes an iterative process? One greatly underutilized tool is known as Corrective and Preventive Action (CAPA). While it is a requirement of regulations as well as ISO 13485:2016, many organizations don’t make the most of their CAPA system. It is often viewed as a necessary evil rather than a strong contributor to the QMS. In fact, when used properly, it can be the heart or the glue for the entire QMS.

CAPA processes are designed to identify root cause and implement plans to prevent occurrence or recurrence of an issue. These plans must be evaluated for changes to current processes and risks associated with the changes. One thing to avoid is “death by CAPA.” That is where you create a CAPA for everything and then realize you don’t have adequate resources to address them all. Consider implementing a “risk-based” process for managing the activities. Prioritize the projects and plans throughout the operation. Include CAPA, calibration, maintenance, internal and external audit findings, lean projects, and any projects that require additional or dedicated resources. Use this plan to prioritize and allocate the projects. This is one approach to using “risk-based decision making” to ensure all activities are addressed “without undue delay.”

So remember, these four-letter words (plan, risk, and CAPA) are critical elements in the QMS and overall business processes for the organization. Integrating and implementing them properly will improve overall QMS conformance and potentially increase the business bottom line.


Want to Learn More?

If you want a solid foundational knowledge about QMS, our medical device QMS training course will help you understand the basic requirements for FDA’s Quality System Regulation (QSR), ISO 13485:2016, and more. Also consider our risk management and CAPA courses. Just starting out? We can help you get up and running with a quality management system that supports your compliance in the US or EU. If you already have a QMS, our medical device experts can make sure that you are staying in compliance by conducting CAPA investigations and gap assessments.

Our team is here to help. Contact us online
Get answers right now. Call

US OfficeWashington DC


EU OfficeCork, Ireland

+353 21 212 8530