Hello. My name is Joe Tartal and I'm the Postmarket and Consumer branch chief in the Division of Industry and Consumer Education. The topic of corrective and preventive action is an important one. It is a gauge to the health of the quality of your system. Everyone knows the problems such as nonconformities can and do occur. The big questions are you able to identify them and what do you do about them?
I worked in the industry for close to 15 years, establishing quality systems, including developing effective corrective and preventive action systems. Since 2006, I have worked at FDA. During that time I have worked with both the Office of Regulatory Affairs and the Office of Compliance on educational outreach, and understand the agency's expectations for quality. We all share the same common goal to ensure safe and effective medical devices on the market, and corrective and preventive action ensures that big or reoccurring problems are either resolved, or do not occur in the first place. So by the end I want to you walk away with these learning objectives and understand these concepts: Know the purpose of corrective and preventive action; have the ability to distinguish between each of the defined terms; understand the requirements in CFR 8120 - the quality systems regulation; identify various types of data and tools that can be used to meet those regulatory requirements; recognize examples and best practices; and of course, be aware of compliance concerns.
The purpose of corrective and preventive action, again, is to aid in adequately assessing the effectiveness of your overall quality system. This is one of the reasons why it's reviewed during all FDA routine inspections - both level 1 base line and level 2 abbreviated inspections. This is per the compliance program guide. So the purpose is to collect and analyze information to identify actual and potential product and quality problems. It's an overarching system, collects and receives information throughout other parts of the quality system, and has many sources. And its fingers are almost everywhere throughout your quality system.
Another purpose is to investigate product quality and problems, and take appropriate and effective actions. Okay, so the aspect is that once you know and have identified something is wrong, to do something about it. It requires addressing those causes that you take action against. Also, the purpose is to verify or validate the effectiveness of those corrective or preventive actions taken, ensure that you've taken the right actions, and that you've confirmed that those are the right actions.
Another purpose is to communicate corrective and preventive action information to the appropriate people - that this information is shared with those responsible. And also, to provide that information for management for review, because remember, quality systems is a top -down approach, and executive management needs to understand when issues are occurring. And last, to document those activities so that they are available for review at other times. Next we're going to talk about definitions. We're going to talk about the definitions of correction, corrective action, and preventive action. These terms are not defined in 21 CFR 820. However, they are defined per ISO 9001, and specifically, the preamble discusses its harmonization of the terminology to ISO 9001, 1994. These definitions are taken from the ISO 2005 vocabulary and also used in the Global Harmonization Taskforce Guidance corrective and preventive action.
So correction is an action to eliminate and detect a nonconformity, and a detected nonconformity means the nonfulfillment of a specified requirement. A correction can be made in conjunction with a corrective action, a correction can be, for example, rework or regrade. So for example, if in my slide I have a misspelled word and I go into the slide and just change that single misspelled word, that is a correction.
Whereas, a corrective action is to eliminate the cause of that nonconformity or other undesirable situation. There can be more than one cause for the nonconformity, and a corrective action is taken to prevent reoccurrence of that nonconformity. And there is a difference between the corrective, correction and corrective action. For example, the misspelled word. If I go into the slide and change that one misspelled word, that is a correction. However, if I determine that I need to figure out what the cause of that misspelled word is, either that I'm not reviewing the slides or that there's difficult words in it, I may go back and try to determine why those misspelled words have made it into my slides. I may do something like add spell-check to part of my presentation development process, and that would be considered a corrective action.
Now, preventive action is an action to eliminate the cause of the potential nonconformity or other undesirable situation. There can be, again, more than one cause for a potential nonconformity. And a preventive action is taken to prevent the occurrence in the first place. So using my example of the misspelled word in my slide again, if it happens before the nonconformance occurs, the potential problem does not become an actual problem, then that is a preventive action.
So for example, if I know that another group is doing presentations and I have seen that misspelled words has caused problems with their audience, I can go back and institute using spell-check prior to me ever putting a presentation slide together, and that would be considered a preventive action. So the difference between a correction, I'm eliminating the actual nonconformity itself, a corrective action, I'm eliminating the cause of the nonconformity, or preventive action, where I'm eliminating the cause of a potential nonconformity. The nonconformity has not occurred in the first place.
So with that, we move on to the regulatory requirements. These are what you're required to do. And it is one of the next learning objectives that we put forward in the beginning of our presentation. So establish and maintain procedures for implementing corrective and preventive action. And by establish we mean define, document, and implement. Do it. So depending on the type of device that you manufacture, the risk of that device, the complexity of both the device and the manufacturing process, and the complexity of your organization, will help you define and develop how you're going to establish your corrective and preventive action procedures. And of course, you're going to follow sections A 1 through A 7, per 21 CFR 820.100(a).
The preamble speaks about procedures. The procedures for implementing corrective and preventive action must provide for control and action to be taken on devices distributed, and those not yet distributed, that are suspected of having potential nonconformities. So note that this is broader than just the requirements in complaint handling 820.198, and nonconforming product 820.90. The preamble is telling you this. It's telling you that CAPA is, your CAPA procedures are going to have a very broad scope and go throughout your quality system. And it tells you that you're going to address not just immediate problems, but even across product families or possibly other product lines.
Where to start? Planning is always a good place to start, and this is an example of a quality plan. And these particular plans are taken from the Global Harmonization Taskforce Guidance for corrective and preventive action 2010, which can now be accessed at the National Medical Device Regulator Forum’s website.
So the first part of this is establishing data sources and criteria. You want to understand what it is you need to measure, and when and what the threshold is for entering into corrective and preventive actions. Not everything that you do, not every nonconformity, is going to go into corrective action and preventive action systems.
Next, you're going to have to measure and analyze these different data sources, so you need to define how and what way you're going to do this. Quantitative when possible, and if qualitative, you want to minimize all subjectivity. And you should link to other information that you've already gathered. So this is where other systems feed into your corrective action and preventive action system. Such measurement and analysis tools should actually be developed around things that you've already been working during the product development as part of your design controls. Things like risk analysis and essential outputs are things that feed into those measuring analysis data source that have already been identified.
Next, improvement plans. How are you going to use this information now that you have great data that you've been gathering around, and when you've met that threshold as to something that needs to be entered into corrective action and preventive action. So you want to have some sort of feedback into how you're going to utilize that information.
And of course, last, input to management. You need to be able to look at who it is that this needs to be provided to, and again, when. So you’re going to have establishing data sources as the first part of that plan.
And per 21 CFR 824.100(a)1, you're required to analyze data sources - ones that identify both product and quality issues, and these can come from both internal sources as well as external sources, and here are some examples of that internal source data. You have process control data, such as statistical process control monitoring, that has been developed during process validation. This can feed into as one of those data sources that can be a trigger for corrective action and preventive action.
Test and inspection data. Are you meeting your predetermined criteria, device history records, which can be trended over time, to see how things have been working with regards to those criteria that you set?
Internal audits, the next two bullet points - nonconforming material reports and rework scrap yield data, relate back to the efficiency of your operations. So if I'm a manufacturer, I want to look at this material because are these things that I've predicted? or are these things that are new, and I'm having greater yields of scrap, or I'm having more nonconforming material reports which end up being issues with regards to your manufacturing process and your product as a whole.
And of course, training records. Not only are these employees trained, but is the training itself effective? So these are examples of internal data sources that can feed into corrective and preventive action.
Next are some external data sources that can feed into the system. Supplier controls, you know, as they relate to purchasing, 21 CFR 820.50. Sometimes different vendors or suppliers will be given vendor corrective action reports, or supplier corrective action reports, in order to ensure that reoccurring problems are either stopped, or if it's a big issue, that the problem is taken care of at the supplier source. As the manufacturer, you have the final responsibility over top of your suppliers. And of course, your customers are going to be a great source of data. And that could be from customer feedback or complaints themselves. And those complaints, as per 820.198, could trigger and feed into a CAPA.
Servicing and repairs is another source. In servicing repairs, some may be new in service which is fine, but if you're running into unexpected or other type of maintenance issues that weren't identified during design or identified at other places, it may feed back into your corrective and preventive action system. And of course, adverse event recording. Both your own adverse event reporting, as well as things that are identified as research during looking at FDA's MAUDE database, or even similar devices from competitors with regards to the MAUDE database. These could be things, for example, ones that have not had an actual problem with your product, but could be a potential one that becomes a preventive action. And while the preventive actions may be ones that are difficult to identify, they also have the biggest impact because you're able to make that change before they become an actual product problem.
So even similar to devices from competitors with regards to MAUDE, as well as looking at recall databases, can be utilized as an external data source for your own corrective and preventive action system. So once you have this data that's being fed in, you now need to do some sort of data analysis of this material. So you have to analyze these processes, work operations, concessions, quality and audit reports, quality records, service records, complaints, returned product, and other identified sources to determine what is going on with them.
Again, the requirement is to identify and analyze data sources available to you. And this is broad and encompassing and you have to determine the priority and how. So, a couple ways to do this are one, using some different approaches to looking at both non-statistical and statistical techniques for doing data analysis. The first is to use a risk based approach to rank the areas. ISO 14971 is the standard for risk management, and while it's not a requirement, it is consensus standard that FDA recommends you utilize for doing this risk based approach. And this way you can select items with major impact and look at them from either both product-related or process-related stand points.
And of course you want to process these items from high to low impact, eventually assuring that all areas are being addressed. One of the good reasons to do this is that everyone understands that people are limited by their resources. So how do you go to the biggest and find out the biggest issues first, and then work your way back to those lower issues while addressing all of them? And using a risk-based approach is one of the ways to do that.
Another way to do this data analysis is to use statistical methodology. And per 21 CFR 820.100, appropriate statistical methodology shall be employed when necessary to detect reoccurring quality problems. Now, from an FDA standpoint, you need to be able to explain the use of these statistical methodologies and how they fit into with setting up your thresholds and your criteria for entering into corrective and preventive actions. So you should be able to explain why this methodology was used, and how it is linked back into the criteria that you have set.
So next, after you set those different analysis, you have to determine cause. The regulation is telling you that you have to investigate to determine the cause of the nonconformance related to both product, processes and the quality system. Now, from this standpoint what I'll tell you, in my own experience, is you need to be objective here. Do not jump to conclusions, drill down, try to get to the root cause.
So we talked about training as an internal source. One of the things that I have seen identified when I was doing auditing was, if I could see training being used over and over and over again as a corrective action, I would then question how much of an investigation was done to determine the cause.
Because if I'm seeing the same corrective action over and over again, but that's not changing the actual problem from going away, I then have to make, at the least, to question the training program as a whole. And that's where you want to step back and be able to investigate to determine the cause, and try to get to the root cause, because that's where you want to make your corrective action occur. And the preamble talks about investigation, and again, it talks about requirement in the sections is broader than the requirements for complaints, because it requires that nonconforming product discovered before or after distribution be investigated to a degree significant to that risk.
And again, this goes back to us talking about risk being used as one of those analysis tools. So the preamble on investigation tells you to use risk to look at both product that's been discovered before it’s released, and after it's released. So it's broader than both 820.198 and 820.190 conforming product , and it continues on that the section that applies to both process and quality system nonconformities as well. So, if during process validation, you have determined as part of that process that in the loading process there was a known rate of a normal five percent rejection rate, and that rate now increases to 10 percent, you should do an investigation to try to determine why this change occurred. So you want to link and look at okay, we've already been able to establish the process parameter being at 5 percent. We now see 10 percent. Something has changed in our process. This is something that should likely have been fed into having an investigation done, and likely have a corrective and preventive action open for it to do that investigation, because something has changed from that initial process validation.
So now that you've done that, you have to identify the corrective and preventive action that you want to take. So the regulation tells you to identify the actions, either to correct and prevent the reoccurrence of that nonconforming product, or other quality problem. So going back to that example of the five to 10 percent defect, you now have identified it, you now need to get to an investigation to determine what the cause of it is, and now look at what action needs to be taken. So what are you going to do? And again, risk plays a big part to this. So what type of action can be taken? You can either take no further action, you can either make a correction, 1 and done, you can do a corrective action which stops it from reoccurring, or if you have identified that the actual problem hasn't occurred, but there's a potential that it could occur, you can do a preventive action to stop it from occurring in the first place.
So these are your possibilities. And again, not everything goes into the corrective and preventive action system. So you have to make a determination from the information that you've seen as to what's going be to be fed into corrective and preventive action. So what does the preamble say with regards to risk, and what you need to do?
So the degree of corrective and preventive action taken should be to eliminate or minimize actual or potential nonconformities and must be appropriate to the magnitude of that problem. So not all problems are going to be the same. It's going to link back into the risk of those issues. The higher the risk, the greater action you're going to need to take. And these could range from having a full device design change, to just making a change on a documentation to look for some better clarification on what that process entails, and the training for doing that particular process. This will all depend on risk. Then once you've determined what it is that you're going to do, what corrective action is going to be taken, you need to verify or validate the corrective and preventive action to ensure that it is going to be effective and it does not adversely affect the finished device.
So with that, we'll go back to our example with spell-check. So if I make a corrective action that I’m going to use spell-check, and I later find out that it's changing words within my presentation, I need now to go back to see whether or not that spell-check is causing other issues with regards to the presentation and the words being changed. So I need to make sure not just that it's effective, but it does not adversely affect other aspects, that it doesn't adversely affect the other aspects of that finished device.
So you need to go back and verify when you can, and validate, if you can't verify, that the action is going to be effective, and again, that it does not adversely affect the finished device. So the preamble talks about verification and validation. FDA has revised section 820.100(a)4 to reflect that preventive and corrective action must be verified or validated. One of the things that was brought out in the preamble discussion was why do we have to go back and validate or verify preventive action? Well, the same question that I just asked with regards to my spell-check example is, if I see that someone else is using spell-check, or someone else is having spelling issues and I make that change that I'm going to use spell-check, it could have an adverse impact on my final product. So I need to go back and ensure that it does not have that impact on my final product. And that's why preventive action as well as corrective action has to be verified or validated.
And then, of course, you have to implement that corrective and preventive action. And you have to implement and record changes in methods and procedures needed to correct and prevent those identified quality problems. So this is where I've seen it, not just with regards to our industry in medical devices, but in several industries with different products, where they do all the investigation, they do all the work to even identify what the corrective or preventive action should be, and then they don't do the implementation. And this is something where, if you watch general news, every month or so you'll hear about different examples that have occurred. Where companies knew about an issue, they investigate the issue, they've even identified the corrective and preventive action, but they failed to implement it. And that is a huge impact, both on the trust that you have with us as a regulatory agency, but also the trust that your customers have with you.
So I would say if you find out that something has been put through your system, you have to implement it. You have to do something about it. And of course, once you've implemented it and you've done it, you now need to communicate this information. So you need to give this information to those directly responsible for assuring the quality of such product, or prevention of such problems. So if I'm a person and I'm working on that particular product area, I need to be in the know that this particular corrective action or preventive action has been put into place. And, of course, I also need to submit that relevant information up to management for management review.
So management, they have to be aware of what is going on. They have to be aware that these problems are occurring, and what you're doing about them. And the preamble talks about CAPA activities with regard to management review, and what it says is that only certain information needs to be directed to management. That they don't need to hear every specific detail, but they do need to hear everything that's relevant with regards to what's going on. FDA emphasizes that it's always management's responsibility to ensure that all nonconformity issues are handled appropriately. Whether they're handled through correction, corrective action, or preventive action, it all goes back to management responsibility.
So you don't need to explain every detail, but you do need to make sure that information is provided to them. And you can provide it at a higher level, but make sure that they have enough information that they understand what those issues are. Value their time. Their time is important. So during these management review meetings, make sure that you put that information in a particular way that they can be able to understand and be able to see.
Last, you're going to have to document all those corrective action and preventive action activities. You have to document those that are required under the section 820.100(b), which tells you to document everything under 820.100(a),(a), 1 through 7. Because from a general standpoint, if it wasn't documented, it didn't occur. So you want to make sure that you document everything that now has occurred through that corrective and preventive action system, including the procedures in order to implement this process and to do it, as well as all the actual work that comes from the different things that have been identified through your different internal and external sources that have been investigated, that have been determined to be analyzed to see root cause, and the implementation of that actual particular action that's taken.
And then, even a documentation all the way up through who was told about it, as well as its review by management. So the preamble also talks about corrective and preventive action with regard to internal audits and management reviews. So as a general policy, the office of regulatory affairs, during inspections, does not look at the actual findings of internal audits. They'll look at your procedures for internal audits, your schedules, but they won't look at the actual findings. Same thing with management review. They will not look at the actual management review meeting minutes, but they will look at your procedures for doing management review, as well as an agenda or possibly those that signed in to be part of that meeting. But they won't look at the meeting minutes themselves. This is true in all cases, except for corrective action and preventive action. So for these, these are things that FDA has said in the preamble that they have authority to review the records as they relate to this particular system, and they can do so because it's an obligation with regards to protecting the public health. And this is one of those things where manufacturers do not want to try to restrict this information by hiding issues in internal audits or management reviews.
With regards to corrective action and preventive action, you want to be able to show what you're doing about issues that you have self-identified, and how you're planning or have planned to implement corrective action, or preventive actions, to make those changes. So I argue that during an FDA inspection, manufacturers should consider that these corrective actions and preventive action documentation, even as they are part of your internal audits or part of your management reviews, are a way to demonstrate to FDA that your quality system is effective, and enables you as the manufacturer to self- identify the problems, and implement effective ways to stop them from reoccurring, or not occurring in the first place. It shows you that you are in control of your own system, and shows FDA that you're in control of your own system, and can adapt and handle problems and nonconformance. Both quality process nonconformities as well as product nonconformities.
There are guidance documents available. The first is the Quality Management System Medical Device Guidance from the Global Harmonization Taskforce, guidance on corrective action and preventive action as it relates to quality management system processes. This guidance gives great detail in ways to meet the regulatory requirements of corrective action and preventive actions. So I would recommend that you spend some time looking up this source material. It's underneath the International Medical Device Regulators Forums’ web page in the Archive section for Global Harmonization Taskforce. It spells out different aspects that you can use to help build your corrective action and preventive action system for your quality system. Spend some time to review it, take the ideas that work for your device and your system, and utilize what you think will work well.
Another guidance which is written specifically for doing quality audits is the Nonconforming Grading System for Regulatory Purpose and Information Exchange, also done by the Global Harmonization Taskforce. It, too, is on the International Medical Device Regulators Forum’s website. This one is written, though, specifically for auditing. However, there are some good ideas in it with regards to grading and using risk to set upgrading systems for nonconformities - both nonconformity product as well as nonconforming processes and systems. So this is another quality management system guidance that's available that you can draw and get some ideas from. So I would spend some time looking through both of these documents.
And of course, FDA has its own educational tools that we provide to industry, such as: CDRH Learn, which is a multi-media educational tool which uses video modules and recordings with PowerPoint presentations to provide information; Device Advice, which is a comprehensive, text-based education tool; and of course, the last, my own division, Division of Industry and Consumer Education, who is available to answer questions by email and by phone on medical devices. Thank you for your attention today.