The Preventive Action Demystified

somashekar

Leader
Admin
The Preventive Action (PA) has always been at the center of confusion and has been also seen as an extension of the CA, because of the common term CAPA that is mostly in use. It has taken years to clarify (hopefully) that the CA does not have to be followed up with a PA. PA in itself was left to the wild imagination of the MR, if I may say so, to manage during an audit process. At other places some had gone to the extent of capturing any and all possible actions as PA without perhaps proper linkage.

Let’s see how the new ISO 13485 helps us in understanding this. At clause 0.2, the standard limits the concept of risk to safety or performance requirement of the medical device, or meeting the applicable regulatory requirement. The Preventive Action clause 8.5.3 also tells that the action taken does not adversely affect ability to meet regulatory requirement, or the safety and performance of the medical device. Taking these clues and understanding that potential nonconformities are possible risks., when we go through the standard, we can see a lot of situations where the PA are to be taken. When these are suitably recorded and linked to the PA documented procedure as appropriate to the organization, lot of clarity will emerge towards what the Preventive Action is…

Making a simple list will capture the PA areas which I can see as following …
Control of documents [specifically the g) and h) in 4.2.4] / Human resource (more specifically a trained and competent regulatory officer) / Infrastructure (like Clean room, Pure water system, ESD work areas, specified work environment) / Contamination control / Notification of changes in purchased products (comes from FDA 21 CFR 820) / The controls of production and service provisions / Cleanliness of products / Validation / The specified particular requirements / Feedback process / ..

When you can link these said practices (your practices) as applicable to you into your PA documented procedure, you are done. Your PA are bright, clear and demystified.

Comments …..
 
Last edited by a moderator:

Sidney Vianna

Post Responsibly
Leader
Admin
Comments …..
Preventive actions and the requirements contained in ISO 9001 (through 2008 Edition) have led to some of the longest and most contentious threads we've had in The Cove.

ISO 13485:2016 8.5.3 is very close to the requirements from ISO 9001:2008. The fact that the TC 210 decided not to use the HLS template and maintained PA's as part of the requirements, while the TC 176 dropped the requirements and rationalized explicitly and at length why 9001:2015 was devoided of a PA section exposes a major weakness in the standards development process.

QMS experts clash with Medical Device QMS experts. Why is PA (as prescribed in 13485:2016 8.5.3) necessary while, it is not a requirement of 9001:2015 (and all the sector standards based on it, such as AS9100:2016, IATF 16949:2016)?

The fact that this thread was created, trying to shine a light on something that, for over a decade and a half, "experts" from TC 176 and 210 are unable to crack the code they themselves created show how (in my opinion) trying to demystify PA is Mission Impossible.
 
C

cdhoopes

I think it is part of the closer alignment to FDA 21CFR820 which specifically requires PA.
 
R

randomname

Preventive action (per ISO 9001:2008):

1. Determine potential nonconformities and their causes (identify risks)
2. Evaluate the need for action to prevent them (assess risks)
3. Determine and implement any actions needed (treat risks)
4. Review effectiveness of those actions (monitor risks)

This is the risk management process!
 

Mortalis

Involved In Discussions
Preventive action (per ISO 9001:2008):

1. Determine potential nonconformities and their causes (identify risks)
2. Evaluate the need for action to prevent them (assess risks)
3. Determine and implement any actions needed (treat risks)
4. Review effectiveness of those actions (monitor risks)

This is the risk management process!
It is part #4 that we struggle to demonstrate. How do you show the effectiveness of something that prevents something from happening that never happened?
 

Marcelo

Inactive Registered Visitor
It is part #4 that we struggle to demonstrate. How do you show the effectiveness of something that prevents something from happening that never happened?

By defining exactly what you did not want to happen, how actions you did to prevent it from happening, and the methods you are gonna use to check that the actions to prevent did work.

It's not only "it did not happen so it's ok", but more like "the actions I did were ok and in the end what I did not want to happen didn't.

Something that the "preventive action" lacked, but risk management has, is the need to verify if the actions did not have an impact on other stuff.
 

Ronen E

Problem Solver
Moderator
Corrective actions (I know we're discussing preventive actions, patience please) are targeted at correctly identifying root causes and then eliminating them. Step #1 in verifying effectiveness is ensuring that the identified root cause was elimienated.

The same can be done with preventive actions. Has a root cause been identified? Has it been elimienated?

Whether or not a root cause has been correctly identified (and there are no others) is a different, tougher question. In CAs it can be answered empirically. In PAs you have to use org's best analytical resources.
 
Top Bottom