What MDR and IVDR confuse and why you should not talk about CAPA.
Unfortunately, the MDR and IVDR do not clearly differentiate between these concepts. Some manufacturers also believe they can combine corrective and preventive actions into CAPAs. But this is just as imprecise as the lack of distinction between “corrections” and “corrective actions.”
This article defines the terms and helps you avoid deviations in audits and even illegal marketing of devices caused by this confusing terminology. It lists the regulatory requirements and uses examples to explain how to differentiate between the pairs “corrective action” and “correction” and “corrective action” and preventive action.”
ISO 9000 defines the term correction as follows:
“action to eliminate a detected nonconformity”
Source: ISO 9000:2015 3.12.2
Examples of corrections are:
a) Corrective actions in ISO 9000 and ISO 13485
ISO 9000 defines the term corrective actions as follows:
“action to eliminate the cause of a nonconformity and to prevent recurrence”
Source: ISO 9001:2015 3.12.2
Therefore, the aim of a corrective action is to identify and eliminate not just nonconformities but also the causes of nonconformities that have already occurred and to ensure that such nonconformities do not occur again.
Colloquially, actions intended to ensure that a nonconformity does not occur again are often referred to as preventive actions. However, according to the definition, this is not a preventive action.
Examples of corrective actions
Examples of corrective actions include:
b) Corrective actions according to the MDR and IVDR
Unfortunately, the MDR has not adopted the definition of corrective action from ISO 9000 and ISO 13485:
“action taken to eliminate the cause of a potential or actual non-conformity or other undesirable situation;”
Source: MDR Article 2
This definition is very unfortunate because it mixes the elimination of the cause of a potential nonconformity and the elimination of the cause of an existing nonconformity. Elimination of a potential nonconformity is usually considered a preventive action.
Regrettably, the MDR and IVDR also use the term “field safety corrective action” in addition to the term “corrective action.”
“corrective action taken by a manufacturer for technical or medical reasons to prevent or reduce the risk of a serious incident in relation to a device made available on the market;”
Source: MDR Article 2(68)
Although neither the MDR nor the IVDR define the term preventive action, they do use it. But only in the phrase “corrective and preventive action.” Why this mixing of the two terms is a problem is explained later in this article.
ISO 9000 and ISO 13485 do define the term preventive action:
“action to eliminate the cause of a potential nonconformity or other potential undesirable situation.”
Source: ISO 9000:2015 3.12.1
Interestingly, ISO 9000:2015 defines the term, but ISO 9001:2015 no longer requires any preventive actions.
Examples of preventive actions
Preventive actions are aimed at avoiding future nonconformities that have not yet occurred.
These actions can relate the design of a device to improve its safety, e.g.:
Other actions might relate to quality management, e.g.:
If you were to take one of these actions to prevent a nonconformity that has already occurred from occurring again in the future, these actions would not be preventive actions, they would be corrective actions. In another words:
you can’t take a preventive action if the problem has already occurred. If, after a problem has occurred, you want to make sure it doesn't occur again, that would be a corrective action not a preventive action, even though both have the same aim: to prevent a future problem.
Because most manufacturers only react when problems occur, there are a lot of corrective actions and not many preventive actions.
a) ISO 13485
In section 8.5 (“Improvement”), ISO 13485 requires both corrective actions (section 8.5.2 “Corrective action”) and preventive actions (section 8.5.3 “Preventive action”).
Manufacturers must define processes and keep records for them and provide an explanation if they do not take any corrective or preventive actions in response to a customer complaint.
The FDA requires corrective and preventive actions in 21 CFR part 820.100. The requirements are essentially the same as those in ISO 13485.
The FDA is mainly replacing 21 CFR part 820 with a reference to ISO 13485, making the requirements for corrective and preventive action (CAPA) completely the same.
The MDR and, likewise, the IVDR establish requirements for corrective and preventive actions. These include:
The GHTF has published a guidance document named Quality management system -Medical Devices - Guidance on corrective action and preventive action and related QMS processes, which is worth reading. The document refers back to ISO 9000 for the definitions but to the 2005 edition.
Some of the suggestions on how to implement the requirements of ISO 13485 (e.g., on root cause analysis) can also be found in the Practical Guide to ISO 13485. Auditors use both documents.
The GHTF Guidance is free of charge; the ISO Guide costs approx. 100 EUR.
The term CAPA stands for “corrective action and preventive action.” However, this combining of the two types of action is problematic for several reasons.
a) Problems with standard operating procedure
Some companies create a standard operating procedure (SOP) with the title “CAPA”, in which they (only) define one common procedure for both corrective actions and preventive actions. Sometimes, they even require a preventive action for each corrective action.
In doing so, they pursue the idea that it must be ensured ("prevented") that the problem does not occur again in the same or similar manner. But this form of "prevention" is not a preventive but a corrective action.
Another reason tThere can also not be only one procedure is that because the types of measures differ regarding inputs, roles, or regulatory requirements.
The employee suggestion scheme, the list of future standards and laws, technological trends, and key performance indicators point to possible future non-conformities. However, they are not yet to be understood as information that points to already existing non-conformities and whose causes the manufacturer would, therefore, hasve to eliminate as corrective action.
This means, for example, that the employee suggestion scheme is part of the process with the preventive actions but not the subject of the process with the corrective actions.
A corrective action requires different or additional activities and, in some cases, roles than a preventive action:
There are many methods for finding causes of errors that have already occurred, e.g., the 5-Why method. These methods can usually also be applied to find the causes of errors that have not yet occurred: "How could XY happen?"
ISO 13485 has very precise requirements for handling nonconformities. This means that manufacturers have less freedom when it comes to corrections and corrective actions than they do with preventive actions.
If the MDR and IVDR had adopted the definitions contained in ISO 13485, we wouldn’t need to consider whether corrective actions as defined by the MDR and IVDR are the same as corrective actions and preventive actions combined as defined by ISO 13485.
The MDR grants transitional periods for “non-significant changes.” However, according to the MDCG, what is considered a non-significant change depends on whether it is related to a corrective action.
Do preventive actions now also have to be considered “non-significant design changes”? This would open a whole range of possibilities for manufacturers. Or does the MDR now make a precise distinction between corrective and preventive actions?
Precise definitions of terms and consistent use of these terms would prevent such discussions.
The clear separation of corrections, corrective actions and preventive actions makes sense and manufacturers should pay attention to it. Combining the two as one single "CAPA" process is not appropriate.
The fact that the EU regulations (MDR, IVDR) of all things destroy this conceptual integrity is annoying.
The Johner Institute helps you establish streamlined MDR-, IVDR- and FDA-compliant QM systems that pass audits and inspections.