- perkinsmark83
Clearing up some confusion regarding Corrective Action and Preventive Action and more...
I teach a lot of classes on medical device quality topics, and naturally the subject of corrective action and preventive action comes up quite often... either as a direct element of the class or indirectly in student feedback. I also have performed quite a few quality audits/gap assessments to ISO 13485, 21 CFR 820, EU MDR and MDSAP.
I have found both in classes and through audit and assessment that there is some widespread confusion regarding the subject of "CAPA". The goal of this blog post is to help clear up that confusion and to provide some additional input to help you become more successful in use and audit of your "CAPA" system.
How do we address this confusion? As Julie Andrews famously sang "Let's start at the very beginning, A very good place to start!"
So the beginning is - Definitions:
First, it's important to note that the terms nonconformity, correction, corrective action and preventive action are not defined anywhere in ISO 13485:2016, ISO 9001:2015 (the parent standard to ISO 13485) and 21 CFR 820. However, ISO 13485 points to ISO 9000 for definitions of terms and they are as follows :
3.6.9 nonconformity non-fulfilment of a requirement (3.6.4)
3.12.3 correction action to eliminate a detected nonconformity (3.6.9)
3.12.2 corrective action action to eliminate the cause of a nonconformity (3.6.9) and to prevent recurrence
3.12.1 preventive action action to eliminate the cause of a potential nonconformity (3.6.9) or other potential undesirable situation Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action (3.12.2) is taken to prevent recurrence. The main point I want to make here is that per ISO 9000, corrective action and preventive action are separate by definition and also addressed by separate clauses 8.5.2 and 8.5.3.
Note: These definitions should be included in your CAPA procedure citing ISO 9000:2015 as the source and I highly recommend you purchase the ISO 9000:2015 Standard as well. There are a lot of other terms defined in ISO 9000 beyond these.
What's the difference then between ISO 13485 and 21 CFR 820 regarding CAPA?
I'm glad you asked! Part of what confuses people is that these ISO terms really aren't in 21 CFR 820. They appear to be... yet they clearly are different by context. 21 CFR 820.100 "Corrective and preventive action" states:
"...Identifying the action(s) needed to correct and prevent recurrence of nonconforming product and other quality problems;"
Again... 21 CFR does not define terms. You must interpret the meaning by context. The word "corrective" never appears in the actual text of 21 CFR 820.100, only the word "correct" and by context you can see that 21 CFR statement above expects that a problem is corrected (fixed) and prevented from recurring. There is no requirement in 21 CFR to prevent "potential nonconformities". So, in essence the 21 CFR 820.100 "action" needed to "correct" is essentially equivalent to ISO 13845 "correction" and 21 CFR action needed to "prevent recurrence" is essentially equivalent to ISO 13485 "corrective action". To reiterate... there is no equivalent in 21 CFR to ISO 13485 "preventive action".
And related to confusion many people have on this topic - as they go back and forth between ISO 13485 and 21 CFR 820, there has been a resulting false interpretation that for every CAPA to address (using ISO definition now) "corrective action" you must have a "preventive action". That is not the case… although at times there may certainly be a rationale to support carrying out further preventive action as a result of the investigation of an existent nonconformity, where a potential NC is identified.
Because of that widespread incorrect interpretation, GHTF/SG3/N18:2010 (see link below) states:
"The acronym “CAPA” will not be used in this document because the concept of corrective action and preventive action has been incorrectly interpreted to assume that a preventive action is required for every corrective action."
Well, ok they're different so which do I use? FDA or ISO?
Happily, FDA at heart really wants you to follow ISO 13485. Why? Well, ISO does all FDA asks and more. So, I recommend you define your terms in your CAPA procedure per ISO 9000:2015 and you structure your procedure to meet the requirements of ISO 13485:2016 clauses 8.5.2 and 8.5.3. And you will satisfy both FDA inspector and ISO auditor expectations on actions they expect you to take.
Is that all Mark?
Well, I know that I may have hit your limit on how long you want to read about CAPA, but this next part is Gold... As in "That's Gold Jerry, Gold!"
Seinfeld fans click here: https://www.youtube.com/watch?v=-NzgmeSeySA
What's gold is this... you can stop performing non-value added activity just to satisfy the auditor... Hopefully, that's enough to get you to keep on reading…
Ok... so one more thing I bring up with students. I ask them "How many of you have had an ISO auditor write you an NC because there aren't any (or enough) preventive actions in your CAPA system?". Inevitably, a lot of hands raise. I ask them next, "How did you address that?". They usually say... “We began creating preventive actions in our CAPA system so that we could close out the NC and continued to create preventive actions in our CAPA system to avoid another nonconformity in future audits”. I ask them “Honestly, is that a value add?” It’s basically a rhetorical question… of course it’s not value add to do this just for the purpose of getting an auditor to check a box.
So, I then tell them how this same thing happened to me many years ago and I told the auditor I have numerous examples of documented preventive actions that clearly meet ISO 13485 clause 8.5.3 requirements, they are just not in the formal CAPA system. Just the act of writing procedures to identify processes, controls, action limits and so forth is an example. But, an even clearer example is when I perform Failure Modes and Effects Analysis (FMEA). With FMEA I am:
1) Identifying potential nonconformities (a whole lot of them)
2) Evaluating the risk (potential harm and severity)
3) Identifying the potential cause of the failure mode
4) Identifying the action to reduce or eliminate the cause of the potential nonconformity
5) Documenting that I took that action
6) Identifying my method of determining effectiveness of that action
7) Documenting that the action was effective
8) Taking action to reduce or eliminate the potential nonconformity
9) Documenting I took action to eliminate (reduce) the risk
The auditor tried, but really couldn't rationally support his argument that I hadn't met ISO 13485 clause 8.5.3 requirements - because I had. So, in the end, he did not write me a nonconformity. And, I did not start populating my formal CAPA system with preventive actions just for no other reason than to avoid a future nonconformity.
Note by the way, that I am also satisfying requirements of ISO 14971:2019 for risk analysis and control at the same time I'm satisfying ISO 13485:2016 clause 8.5.3 for preventive action! Win Win!
So... I recommend you point to FMEA in your CAPA procedure as an example of preventive action that you perform that meets clause 8.5.2. Am I saying NOT to ever document a preventive action in your CAPA system? Well, no I’m not. You may find you have good reason to do so, just don’t do it in order to avoid an audit nonconformity… when you really don’t have a nonconformity.
Oh… and one final point... the word in both ISO 13485 and 21 CFR is preventive… not preventative. I see a lot of procedures where these words are used interchangeably. They do mean the same thing, but why not be consistent with ISO and CFR on that word?
Farewell!