Separate Corrective Action and Preventive Action Procedures

[Lemko]

Hello, I saw the very old thread related to Separate or Combine CAPA procedures, but I am looking for some more recent guidance/news.

I recently changed jobs from one of the big Medical Device Manufacturers (class II and III devices) to a small company that has mostly unregulated but some class I devices which just had their 1 year ISO 13485 surveillance audit a month before I arrived. The company is very much immature in their transition from 'job shop' to medical device manufacturer.

One of the findings was related to insufficient documentation in the CAPA procedure detailing requirements to determine a PA. As a correction the company apparently told the auditor they were going to split the CAPA procedure up in order to address the finding-based on the auditor telling them it should be split up. I'm having a disagreement stemming from my interpretation of the finding and ultimately the appropriate correction to be making. Per the individuals I am working with, this company was told by the auditor that the term CAPA is not being used in international regulations/standards as they are being revised, and I was further told that IMDRF specifically call this out as two separate processes and that the FDA will move forward to emphasize two separate processes.

Not only is this the first time I've heard this (having a fair share of regulatory involvement and external auditor interaction as front room lead at my previous large company), I have also been trying to find any discussion on the web about it and am coming up empty. Am I being given run-around as the new guy coming in with unwanted ideas, or is this an actual movement within the industry to require CAPA be split into two different procedures? Also I don't want to get into a discussion of what path is correct (probably either depending on the company situation), just curious on requirements.

Thank you.

 

[contigo123]

I have not heard of this, and we recently had an ISO audit. What was the actual finding? Does the current CAPA procedure not have all the PA requirements from ISO 13485?

 

[Ninja]

As a correction the company apparently told the auditor they were going to split the CAPA procedure up in order to address the finding

I am not in medical, anything I say should be with that in mind.

IMO, That was a really bad call.
Keep them together, and address the finding itself (if it is even valid, not enough info to tell).

 

[Tagin]

Regardless of whatever the 'trend' might be, if you compare the flow and requirements of CA vs. PA in 8.5.2a-f vs. 8.5.3a-e there is overlap, but to me they are sufficiently different if flowcharted that its not unreasonable to have two similar - but different - procedures. That doesn't mean they have to be two different systems - CAs and PAs could still be in the same system; it's just that each is handled according to its type.

One of the findings was related to insufficient documentation in the CAPA procedure detailing requirements to determine a PA

Did the auditor reference 8.5.3 "The organization shall determine action to eliminate the causes of potential nonconformities..." or 8.5.3a "determining potential nonconformities and their causes" in this NC? If neither, what is the exact text of the NC?

 

[Sidney Vianna]

Hello, I saw the very old thread related to Separate or Combine CAPA procedures, but I am looking for some more recent guidance/news.

I recently changed jobs from one of the big Medical Device Manufacturers (class II and III devices) to a small company that has mostly unregulated but some class I devices which just had their 1 year ISO 13485 surveillance audit a month before I arrived. The company is very much immature in their transition from 'job shop' to medical device manufacturer.

One of the findings was related to insufficient documentation in the CAPA procedure detailing requirements to determine a PA. As a correction the company apparently told the auditor they were going to split the CAPA procedure up in order to address the finding-based on the auditor telling them it should be split up. I'm having a disagreement stemming from my interpretation of the finding and ultimately the appropriate correction to be making. Per the individuals I am working with, this company was told by the auditor that the term CAPA is not being used in international regulations/standards as they are being revised, and I was further told that IMDRF specifically call this out as two separate processes and that the FDA will move forward to emphasize two separate processes.

Not only is this the first time I've heard this (having a fair share of regulatory involvement and external auditor interaction as front room lead at my previous large company), I have also been trying to find any discussion on the web about it and am coming up empty. Am I being given run-around as the new guy coming in with unwanted ideas, or is this an actual movement within the industry to require CAPA be split into two different procedures? Also I don't want to get into a discussion of what path is correct (probably either depending on the company situation), just curious on requirements.

Thank you.

ISO 13485:2016 has ISO 9000:2015 as a normative reference. The definitions of corrective and preventive action are provided there. Let's remember that ISO 13485:2016 did not follow the HLS, which dropped "substituted" preventive action for risk based thinking. Source 1 of confusion.

The term CAPA, typically used in the Medical Device Sector is not in line with the ISO 9000 definitions. In CAPA, (Corrective Action Preventive Action), the CA normally relates to correction (as per ISO definition) and PA normally relates to corrective action (as per ISO definition) . Source 2 of confusion. By the way, I had made a comment about this in this post.

As for FDA and CAPA new guidance, I found this article from a couple of years ago. An excerpt reads: "...FDA has revised section 820.100(a)4 to reflect that preventive and corrective action must be verified or validated. One of the things that was brought out in the preamble discussion was why do we have to go back and validate or verify preventive action? ..."The article also points to this guidance document. (also attached below)

Let's remember that under the old structure (pre-HLS) of ISO 9001, we saw countless and mind numbing discussions in this space about preventive actions and some of that might be at play here.

My advice for the OP is to make sure he understands CLEARLY what the auditor was referring to; meaning was the auditor referring to PA as prevention of recurrence (which is corrective action by ISO 9000 definition) or prevention of POTENTIAL nonconformities.

Good luck.

 

[Tidge]

One of the findings was related to insufficient documentation in the CAPA procedure detailing requirements to determine a PA. As a correction the company apparently told the auditor they were going to split the CAPA procedure up in order to address the finding-based on the auditor telling them it should be split up. I'm having a disagreement stemming from my interpretation of the finding and ultimately the appropriate correction to be making. Per the individuals I am working with, this company was told by the auditor that the term CAPA is not being used in international regulations/standards as they are being revised, and I was further told that IMDRF specifically call this out as two separate processes and that the FDA will move forward to emphasize two separate processes.

It should make no difference if there are separate/parallel or distinct processes for CA and PA.

My personal sense is that there was a push towards making CA and PA nearly identical; for example I'm seeing more places require an 'effectiveness check' for PA, whereas in previous eras a PA process would stop with 'implementation'.

 

[Lemko]

Thank you for the replies, there is good information here for me to think about. This is the exact wording of the finding for those interested:

Finding: The Preventive action process observed not to be fully effective

Requirement: The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be proportionate to the effects of the potential problems. The organization shall document a procedure to describe requirements for:
a) determining potential nonconformities and their causes;
b) evaluating the need for action to prevent occurrence of nonconformities;
c) planning and documenting action needed and implementing such action, including, as appropriate, updating documentation;
d) verifying that the action does not adversely affect the ability to meet applicable regulatory requirements or the safety and performance of the medical device; e) reviewing the effectiveness of the preventive action taken, as appropriate.

Records of the results of any investigations and of action taken shall be maintained (see 4.2.5).

Objective Evidence: One could not verify from the established procedure for preventive action how the organization describe requirements for determining potential nonconformities.

 

[Bev D]

Words matter.
Unfortunately the people who wrote these standards used the same root word (prevent) in two very different ways. And then too many users misinterpreted and smashed them together to create the extremely unfortunate acronym CAPA.
Look at the requirement: this is only about taking preventive action for non-conformities that have not yet occurred. This type of preventive action is a bit intangible as many people have difficulty understanding something that hasn’t yet occurred.

Now when a non-conformity has occurred we can take either corrective action (only fix the nonconforming thing) or corrective action to prevent the re-occurence of the nonconformity in the future.

These two things are very different and are not to be conflated, mashed up or confused.

 

[John Broomfield]

Preventive action is driven by planning, risk assessment and the analysis of data. Whereas corrective is driven by nonconformity. So, each type of action starts in a different way.

Both PA and CA require the removal of root causes from the system. So, PACA may share the same problem solving activities within these two separate processes.

 

[Sidney Vianna]

Preventive action is driven by planning, risk assessment and the analysis of data

There are many reasons why "preventive action", as a stand-alone process was obliterated removed from the common text in the HLS. From one of (many) TC 176 papers:

One of the key changes in the 2015 revision of ISO 9001 is to establish a systematic approach to considering risk, rather than treating “prevention” as a separate component of a quality management system.

Risk is inherent in all aspects of a quality management system. There are risks in all systems, processes and functions. Risk-based thinking ensures these risks are identified, considered and controlled throughout the design and use of the quality management system.

In previous editions of ISO 9001, a clause on preventive action was separated from the whole. By using risk-based thinking the consideration of risk is integral. It becomes proactive rather than reactive in preventing or reducing undesired effects through early identification and action. Preventive action is built-in when a management system is risk-based.

A QMS, by design, focuses on preventing quality problems. Having an artificial, stand-alone expectation of separate preventive actions is asinine. So much so that the HLS dropped it.