How do you handle CAPA investigations and bug triage for SaMDs?

Question

I am interested in how companies handle CAPA (Corrective and Preventive Action) investigations, especially for Software as a Medical Device (SaMD). In our startup, root causes often seem clear, but auditors expect more than just citing "team meetings" or "the 5 Whys" as investigation methods.
I'm looking for investigation methods that do not create unnecessary overhead. What approaches have others found effective?

Related Question: CAPA and Bug Handling in SaMD

For SaMD products, do you issue a CAPA form for every bug, or only in specific cases? In my experience, bugs are typically triaged and reworked as part of the software development process, unless they require a change to specs or processes, in which case a CAPA might be triggered.
The IEC 62304 standard refers to addressing every "software problem" with a problem resolution process and change control. How do you interpret and implement this? Is everything managed within tools like Jira, or do you integrate CAPA and change control into the QMS separately?
I welcome any experiences or advice on balancing regulatory requirements with practical, efficient processes.

Dr. Oliver Eidel · Accepted Answer

In our case, we don't open a CAPA for every bug. We triage bugs and determine their criticality—low, medium, high, critical, or emergency. Only those classified as critical or emergency involve compliance and may result in a CAPA. The rest are usually just fixed in the next development sprint. This approach works for our low-risk device.
I think the key is to define a clear process that matches your device risk and document your decisions. Auditors want to see your reasoning and traceability, not necessarily that you follow a single method for everything.

Answer

In my previous company, we resolved CAPAs by using standard analysis methods, like investigating the root cause of a software bug. That was always sufficient for auditors and we never specifically used the 5 Whys method. For example, if the issue was just forgetting to update the publishing year of a standard, there was no need for an elaborate investigation.
My advice is to be pragmatic: use whatever method is appropriate for the problem at hand. If 5 Whys is helpful, use it. If something else is more suitable, that's fine too. Auditors mainly want to see that you have a clear, traceable procedure for how you solved the issue.

Answer

We open a CAPA for each bug found in released software, as required for non-conforming products after delivery (per ISO 13485 8.3.3). In line with IEC 62304, we have a Software Problem Resolution Procedure. Software problem reports are created as Jira issues, and the change control process flows through Jira issue states.
The root cause analysis is documented in the CAPA, and the correction is linked to the problem report in Jira. The problem is resolved through our software change control process (approval, implementation, verification, review, done).
If we see a risk of similar bugs, we may add a software change request in the CAPA's action plan as a preventive action. This, too, is handled as a Jira issue. Only a small number of software complaints end up with a CAPA request that is accepted.

Answer

In my experience, we don't rely on CAPA for every bug. We have a procedure where only a small number of software problems require a CAPA. Most are handled as bug tickets managed through Zendesk, with follow-up in Jira. CAPA is reserved for more significant issues, like those impacting safety or compliance.

Answer

At our company, we did bug tracking and data analysis in parallel. If a bug or complaint presented a serious risk or showed a negative trend, we initiated a CAPA request. We also initiated CAPA for process issues, whether regulatory or internal. An interdisciplinary board would decide whether to proceed and who would own the CAPA. Only a small fraction of issues led to an accepted CAPA request.

How do you handle CAPA investigations and bug triage for SaMDs?

Related Question: CAPA and Bug Handling in SaMD

5 Answers

Keep reading

SOP Corrective and Preventive Action (CAPA)

How do companies handle MDR Annex III complaint investigation and market experience analysis?

CAPA (Corrective and Preventive Action): What Is It and How To Be Compliant?