CAPA Best Practices

Seeking guidance on employing a risk based approach to executing root cause analysis? Does anyone determine level of investigatory activities based on overall risk determination (i.e. those with lowest potential for risk will receive lowest level of investigation)? Curious as to possible approaches.

4 Replies
Duke Okes
207 Posts

Absolutely. When problem is identified (whether audit finding, NCM, complaint, etc.) the risk related to the failure should be evaluated. In some cases the problem will simply be corrected (and no CAPA done), and in other cases and investigation will be done to determine the causes. Again, degree of risk will drive whether only physical/direct causes are pursued, as opposed to also going to root/system cause. Also consider whether investigation should pursue why the problem wasn't discovered earlier (why it escaped where it occurred), as well as why it hadn't been predicted (e.g., wasn't in the FMEA).

Here's a related article, and while it is written about audit NCs it can also apply to other failures.


The extent of Root cause analysis is can be determined by classifying the risk associated with the non compliance like low, medium,high and severe.

On the lowest risk classification you can have simple desk top review of 5 why analysis to a structured Cause and effect analysis for high and severe level.

Thank you Duke for the insight and the article. Very much appreciated.

Thanks Balan!