Are we spending enough time and resources on effective Preventive Actions?

Bev D

Heretical Statistician
Leader
Super Moderator
May I ask you to clarify exactly what you mean by PA? I assume you are referring to a Preventive Action prior to a non-conformance? And that you are not referring to a action that prevents recurrence of a non-conformance…
 
I've tried to put this argument forward (locally), with no success. Current group-think (among NBs, others) is to bluntly require effectiveness checks....
Thanks for sharing this info. This is unfortunate.

May I ask you to clarify exactly what you mean by PA? I assume you are referring to a Preventive Action prior to a non-conformance? And that you are not referring to a action that prevents recurrence of a non-conformance.
Yes. You stated it exactly right.
 

Ronen E

Problem Solver
Moderator
Not actually necessary as ISO 13485 states "reviewing the effectiveness of the preventive action taken, as appropriate." Sometimes it is not appropriate to do an effectiveness check on a PA.

For illustrative purposes, here is an example PA. Let's say for process monitoring you do destructive tensile testing of glue bonds for a potion of your subassembly lot. You have a lower value for two samples, but still within specification. Alert limit has been reached. The associated risk is device embolization because the device goes inside patient vasculature. These samples seem to have large channels in the glue. You decide a CAPA is needed to determine the root cause of the large channels and take action to prevent glue bond failures. There was never any nonconformity, but if the nonconformity did occur in the future, it could cause harm of high severity in a patient.
That's a great example how PA effectiveness CAN be verified. It sounds like the root cause was determined to be the channels in the glue - right? Assuming that some action was taken to prevent (or reduce the occurrence of) the formation of those channels (need to verify that the action was actually implemented), a follow-up inspection can be performed to verify that no channels appear post-change (or at least the occurrence has reduced - I assume that a baseline was established during the initial investigation). If that's the case, the root cause (hopefully, well established) has been eliminated and the PA can be closed as successful. If similar issues are noted later on, suggesting that maybe the real root cause wasn't identified, or that there was/is more than one problem, another PA (or CA) can be initiated. But IMO that wouldn't mean that the first PA was wrong or inappropriately closed.
 
Last edited:

Ronen E

Problem Solver
Moderator
From ISO 13485:2016:
0.2 Clarification of concepts
In this International Standard, the following terms or phrases are used in the context described below.
— When a requirement is qualified by the phrase “as appropriate”, it is deemed to be appropriate unless
the organization can justify otherwise. A requirement is considered appropriate if it is necessary for:
— product to meet requirements;
— compliance with applicable regulatory requirements;
— the organization to carry out corrective action;
— the organization to manage risks.
This clause suggests that if someone in the org is arguing that PA verification is "not appropriate", they need to document a justification, including explaining why/how:
— verifying this PA is not necessary for ensuring that the product(s) will meet the requirements;
— verifying this PA is not necessary for ensuring compliance with applicable regulatory requirements;
— verifying this PA is not necessary for allowing the organization to carry out corrective action [I would argue that this is only relevant if the PA is dealing with an aspect of the CA process itself]; and
— verifying this PA is not necessary for allowing the organization to manage risks [Good luck with this one! As a PA is in itself an element of risk management].
 
Last edited:

Enternationalist

Involved In Discussions
Er... It's called priorities...?...
If you just have a bunch of potential PAs sitting there "waiting to ripen", it's a buffet for any auditor (or grumpy manager). But I think if you have a clear and practical procedure ... you have a beautiful blanket.

Oh, I agree entirely. Just observing the mindset, and the fact that it usually stops at step 1, and never proceeds to the idea that a clear and practical procedure is possible.

To add to the discussion on where fat can be cut;

I think it's evident that part of the issue is that the phrasing for the requirements of preventive and corrective actions is nearly identical, making it all-too-easy to make the processes themselves nearly identical. However, the requirements are intentionally broad - they're not telling us that these processes should look identical, they're telling us that these processes can look however we like them to look as long as we touch on a few themes.

This also means the few differences are important.
  • Necessary corrective actions must "be taken without undue delay", while preventive actions have no such requirement.
  • We must describe requirements for "determining potential nonconformities" in the preventive action process as opposed to "reviewing nonconformities" in the corrective action process
  • More subtly, preventive action requirements ask us to "determine action to eliminate the causes..." as opposed to corrective actions that ask us to "take action to eliminate the causes..."
To me, these three elements point toward the fundamental philosophy that "Preventive action" requirements are much more about the process of discovery and information gathering - rather than being an engine of action in the same way as corrective actions. It lacks the urgency of corrective action (which often gets unfairly applied to preventive actions in a blanket manner) and emphasizes discovery.

It seems clear that this is essentially meant to capture a sort of ticketing system - a place to catch "Hey, I reckon this might cause a problem one day", and a process to ask the question "Will it? And do we need to do anything about it now?". And, most critically, the subtle wording difference allows us to easily answer "No, we don't need to take action" or "Here's the action to take, but we'll take it whenever we damn well please" in many cases.

As Ronen mentioned - having a clear and concise set of guidelines that indicate when action and documentation is NOT needed is key.
 

Ronen E

Problem Solver
Moderator
It lacks the urgency of corrective action
I reckon that in 99% of the orgs 99% of the time this will mean it will not be actioned until an actual NC is raised... and then it will no longer be a PA but rather a CA :)
The upside is that at least the pondering stage will already have been done for that particular CA.
 

Bev D

Heretical Statistician
Leader
Super Moderator
I agree with some points already made, but my experience is contrary to a few others…

In my experience the issue with Preventive Action ‘programs’ is that they are treated like Corrective Action ‘programs’. There is also the issue of confusing actions to prevent recurrence with Preventive Actions… This is of course why ISO9000 moved away from Preventive Actions to risk.

Effective Preventive Action must be embedded in the culture and processes. It is not something QA ‘issues’ or initiates.

I have seen many companies with vibrant Preventive Action programs and I’ve seen many companies with unsuccessful Preventive Action programs. Some times they have been the same company. Let me explain:

Preventive Action is taken to prevent non-conformance’s from occurring. Often these actions are taken against the cause of the non-conformance. We see them all of the time though many ‘traditional QMS’ people can’t ‘see it’. I don’t really use that phrase pejoratively - although it can be interpreted that way - I mean it to describe those people who look at a QMS in a very rigid and ‘this is the way it’s always been done’ or ‘this way is easy for the auditor to understand’ fashion. So what are these Preventive Actions? FMEA, SPC, 5S, Lean (actually TPS) work breakdown, single piece flow sequencing, color coding, part number simplification, counting sensors, bar codes and bar code readers…anything in the error proofing or mistake proofing realm. Even DoE that maps out design space and determines allowable tolerances that preclude the manufacture of defective parts. These are all preventive actions. Some are prescribed by standards under different requirements: calibration is one, assessing changes for unintended consequences is another.

A vibrant and effective system is almost invisible as the approach is embedded in every day work and it typically occurs (with the exception of SPC) in ‘clumps’ and doesn't occur continuously. For example, when designing a process and implementing error proofing there is a flurry of preventive actions taking place. There may be numerous Kaizens in the beginning (true kaizen which is a small local ‘tweak’ not the oddly named Kaizen blitz that can take a week or so). Then the process may operate for months or years before requiring changes. There should be no ‘form’ or managerial approval for these small local changes. They should - and do - occur at the local level. This requires building a culture of improvement in all functions. I’ve worked in several organizations that do this well. I’ve also worked in and had suppliers who were horrible at this.

A word about “cause”: most causes that are addressed in the above Preventive Actions are well known and understood. They don't require independent and redundant investigation and ‘proof’. For example, knowledgable people know that a bar code and bar code reader are far more effective in preventing mis-reading and fat fingering data.

I once worked for an organization where the QA team was quite ‘old fashioned’ and they implemented a PA form that mirrored the Corrective Action form - in fact it was the same form with only a check box to indicate that the recorded action was Corrective or Preventive. …and yes they called it a CAPA form! No one filled it out. It was just paper work - they were too busy taking Preventive actions as described above. When audit time came QA would run around trying to document a few of these as Preventive actions on their form so they could ‘get credit’ for it in the audit. A horrible wet blanket system to cover up an effective culture of actual preventive actions.

It takes a little more work - and frankly knowledge - to explain this and show it to an auditor but if you are well versed in these approaches and your organization is performing them effectively it is easy.

Sent from my iPad
 

Steve Prevette

Deming Disciple
Leader
Super Moderator
I'll suggest there is a certain perverse logic that runs counter to Preventive Actions. If I spend money on Preventive Actions, and nothing happens (which is indeed the intent) I am seen as having wasted money. If I rush in to "Firefight" after something breaks or otherwise goes awry, I am a hero for fixing the problem. Even if I set the fire. We have all the time and money in the world to fix something after it breaks, but not a penny to keep it from breaking.

Dr. Ackoff referred to acts of commission versus omssion. Doing, not-doing; errors of commission, errors of omission – Coevolving Innovations
A cost related to an act of commission brings a heap of wrath upon the poor decision-maker. An act of omission does not show on the quarterly financial statement.
 

Randy

Super Moderator
I'll suggest there is a certain perverse logic that runs counter to Preventive Actions. If I spend money on Preventive Actions, and nothing happens (which is indeed the intent) I am seen as having wasted money. If I rush in to "Firefight" after something breaks or otherwise goes awry, I am a hero for fixing the problem. Even if I set the fire. We have all the time and money in the world to fix something after it breaks, but not a penny to keep it from breaking.

Best example I can think of is in "Maintenance" where organizations have all the money & time in the world to fix broken *rap but very little to time & money to keep it from breaking to begin with. That messed up way of thinking permeates business unilaterality in a manner that makes the bubonic plague appear passive and benign.
 
Top Bottom