Are we spending enough time and resources on effective Preventive Actions?

Ronen E

Problem Solver
Moderator
I'm up for that. Even though the processes [CA and PA] are superficially similar, they're fundamentally different tasks. Grouping them casually usually hamstrings one or the other, and usually that's at the price of good preventive actions.
While I highly agree, I have a confession to make... I've never come across a company implementing (I mean, beyond having an SOP for that on paper) a PA activity systematically... It seems that at least in the industry I'm familiar with - medical devices development and manufacturing - companies are so overwhelmed with just keeping up with routine QA activities and "ordinary" CA, that they never really take on PA, other than some sporadic, few "pet" PAs that seem to be taken only for the sake of audits... This seems to me to come from the very top - managements seem comfortable with the attitude of "We're stressed for resources, and QA is already costing us too much for the benefits it provides, so why bother about problems that may or may not be there?... We'll deal with it if and when it happens." I really hope it's different in other industries...

Thinking about it now, it may not fall under formal "PA", but a big part of the D&D effort, and especially the risk management effort, is sort-of PA... We try to anticipate problems/issues that haven't yet manifested, understand (and verify, haha) the root cause(s) as we perceive them (or can best analyse them), and implement preventive measures upfront.
 
Last edited:

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
PA are in some ways distracting. Unless its a safety issue for the users or employees how can you justify the time and cost to study the PA? Typically PA are addressed as CA.

In a management meeting I would not want to defend PA actions on an item everyone agrees is working "well enough" and the fear is my activity could make it worse.
 
PA are in some ways distracting. Unless its a safety issue for the users or employees how can you justify the time and cost to study the PA? Typically PA are addressed as CA.
A PA of course has actions, but they are not corrective since there was no nonconformity. You become aware of an issue that could cause a nonconformity, so you take action to ensure that nonconformity will not occur in the future.
 

Tidge

Trusted Information Resource
My nature is to be proactive (including implementing risk controls for possible risks), but my heart is with @Ed Panek on this one. In my personal experience, formalizing PAs (I am sidestepping the question of "treating them as CAs") in the medical device manufacturing industry leads to more confusion and heartache than they are worth. Kudos to those who make them work! This is just one of those areas where I haven't witnessed much practical or consistent implementation of PA (as PA).

Some of the heartache I've observed: It doesn't make sense to formally start a PA process and then simply not do anything (including creating any sort of formal record), so even getting traction on starting (what would be recognized as) a PA likely means that there is now some amount of management "buy-in"...and likely for a (pre-)determined solution. In this regulated industry, PA will also require some sort of effectiveness check (I don't want to get into that) which are (again my experience) near-impossible to make meaningful/consistent, even for the most mature organizations that have well-established CA processes.
 

Enternationalist

Involved In Discussions
While I highly agree, I have a confession to make... I've never come across a company implementing (I mean, beyond having an SOP for that on paper) a PA activity systematically... It seems that at least in the industry I'm familiar with - medical devices development and manufacturing - companies are so overwhelmed with just keeping up with routine QA activities and "ordinary" CA, that they never really take on PA, other than some sporadic, few "pet" PAs that seem to be taken only for the sake of audits... This seems to me to come from the very top - managements seem comfortable with the attitude of "We're stressed for resources, and QA is already costing us too much for the benefits it provides, so why bother about problems that may or may not be there?... We'll deal with it if and when it happens." I really hope it's different in other industries...

Thinking about it now, it may not fall under formal "PA", but a big part of the D&D effort, and especially the risk management effort, is sort-of PA... We try to anticipate problems/issues that haven't yet manifested, understand (and verify, haha) the root cause(s) as we perceive them (or can best analyse them), and implement preventive measures upfront.

Realistically, people are just afraid to be found bleeding in audit, I think. They're afraid to hear "You've identified this issue, so why haven't you done anything about it?". I personally kind of resent this - an effective system should be chock-full of identified areas of improvement; processes should be built so that we aren't afraid of them. That said, it's incredibly difficult to build it in a way that is effective for everyday use and not onerous, especially if it's tied to the appropriately intensive CA processes.
 

Ronen E

Problem Solver
Moderator
"You've identified this issue, so why haven't you done anything about it?"
Er... It's called priorities...?...
If you just have a bunch of potential PAs sitting there "waiting to ripen", it's a buffet for any auditor (or grumpy manager). But I think if you have a clear and practical procedure for analysing and rating "onerousity" for each, then tying it with the management review process (where those issues are floated to management, prioritised and perhaps actioned, and the whole affair is documented), you have a beautiful blanket.
Benefit-risk analysis in all its glory.
 

Ronen E

Problem Solver
Moderator
PA will also require some sort of effectiveness check (I don't want to get into that) which are (again my experience) near-impossible to make meaningful/consistent, even for the most mature organizations that have well-established CA processes.
It can sometimes be surprising to find what kind of nonsense is "well-established" in "mature" organisations (i.e. big-ish orgs that are well-established business-wise but have superficial/canned QA thinking). For example, sometimes the inquest into root causes, and the way "the" root cause is framed are almost embarrassing... as the foot soldiers who are many times assigned this task (as if it's a negligible formality) see this as an annoying procedural step, rather than the crux of the activity. Then the misunderstanding that short-term effectiveness verification (for closing out the CA or PA) doesn't lie in "proving" that the NC doesn't/won't/can't recur, but much more realistically in providing evidence that the mitigation action has been indeed implemented in full and as planned, and that the documented (and hopefully, well thought through) root cause has been eliminated (the "no NC" confirmation can be a nice annual or semi-annual follow-up activity, but I'm not that naïve to think any org will go that far).

Is it really near-impossible to properly think through a root cause (not just the first thing that comes to mind that everyone agree on), plan for its elimination, verify that indeed the eliminating actions have been taken, and that indeed that root cause was eliminated?
 

Tidge

Trusted Information Resource
Is it really near-impossible to properly think through a root cause (not just the first thing that comes to mind that everyone agree on), plan for its elimination, verify that indeed the eliminating actions have been taken, and that indeed that root cause was eliminated?

The post of mine quoted (which was the springboard for the above reply) was specifically about PA. For non-conformances that have not yet occurred it is, in my experience, very difficult to get agreement on "root cause". Again, I'm sidestepping discussions about wether or not it is an appropriate ROI to investigate potential non-yet-occurring non-conformances for values of I>0.
 
PA will also require some sort of effectiveness check (I don't want to get into that)....
Not actually necessary as ISO 13485 states "reviewing the effectiveness of the preventive action taken, as appropriate." Sometimes it is not appropriate to do an effectiveness check on a PA.

For illustrative purposes, here is an example PA. Let's say for process monitoring you do destructive tensile testing of glue bonds for a potion of your subassembly lot. You have a lower value for two samples, but still within specification. Alert limit has been reached. The associated risk is device embolization because the device goes inside patient vasculature. These samples seem to have large channels in the glue. You decide a CAPA is needed to determine the root cause of the large channels and take action to prevent glue bond failures. There was never any nonconformity, but if the nonconformity did occur in the future, it could cause harm of high severity in a patient.
 

Tidge

Trusted Information Resource
Not actually necessary as ISO 13485 states "reviewing the effectiveness of the preventive action taken, as appropriate." Sometimes it is not appropriate to do an effectiveness check on a PA.
I've tried to put this argument forward (locally), with no success. Current group-think (among NBs, others) is to bluntly require effectiveness checks for PA. For me, this falls into the category of fights where most full-time employees of medical device manufacturers find no allies and an unending line of internal associates and external judges who will oppose it, for all sorts of reasons. I don't like it, but since (formal) PA are so easy to downplay (for a wide spectrum of reasons) and handle outside of a PA system I don't bother expending any of my vital energies along these lines to achieve my sense of Aristotelian happiness.

YMMV. There exist other areas of group-think worth addressing that I feel will pay larger dividends.
 
Top Bottom