• (0)

    ISO 9001 Blog

    Mark Hammar

    Complete guide to corrective action vs. preventive action

    What is meant by preventive action?

    In a management system, a preventive action (PA) definition could be: “the activities taken by the organization to eliminate the cause of a potential process nonconformity.” In other words, preventive action is taken to fix the cause of a process problem before it can happen. If you are identifying potential problems that could happen in a process, assessing what could cause these problems, and taking action to prevent the problem from occurring before it happens, then you are taking preventive action.

    What is an example of corrective action?

    First, what is corrective action? Corrective action (CA) is the activities taken to eliminate the cause of a process nonconformity. Corrective action is the activity of reacting to a process problem, getting it under control through containment actions, and then taking the action needed to stop it from happening again. Earlier versions of ISO 9001 made the distinction that CA will prevent recurrence of a problem, but PA will prevent the occurrence of the problem.

    In other words, corrective actions take steps to fix the cause of a problem after the problem has occurred, whereas preventive actions notice the problem before it occurs and takes steps to fix the cause of the problem before it happens. Here is a simple corrective action and preventive action (CAPA) example:

    • Corrective action – I hurt myself on the corner of a table, find that the cause is that the table has sharp corners, and take action to make the table have rounded corners so that no one else gets hurt. This includes the actions to change the design so that future tables made will have rounded corners.
    • Preventive action – I notice that the corners of a table could cut someone (even though no one has been injured), then find that the cause is the sharp corners, and take action to round the corners and change the future design to have round corners.

    This is an example that uses a product problem, where CAPA in the management system normally involves process problems, but with this example it is easy to see the difference between preventive actions and corrective actions. In short, corrective actions are reactive to a problem after it happens, where preventive actions are proactive to a potential problem before it can happen.

    Corrective Action vs. Preventive Action

    Why does ISO 9001 require corrective action and not preventive action?

    The previous version of ISO 9001 included requirements for a corrective action process and a preventive action process as part of quality management. The steps involved in both were essentially the same, but the action that triggered the process was different; corrective action reacted to a problem that occurred, where preventive action was initiated by the identification of a potential problem. There was often confusion about this when implementing earlier versions of ISO 9001; some people only used their preventive action process a few times, as it is a complex process and takes time away from reacting through corrective actions. Still other people interpreted any action during the corrective action process to prevent a recurrence to be preventive action.

    So, now the most recent release of the Quality Management System (QMS) standard, ISO 9001:2015, doesn’t require preventive action any longer. In some ways, this prevents the confusion mentioned above, but in other ways, ISO has indicated that the complex process that was previously involved in PA is unnecessary, and there are other parts of the standard that, when used properly, can effectively provide good preventive actions. Now preventive action is replaced by other parts of the standard, including:

    • Risk-based thinking – This new requirement asks that you identify areas that could affect the QMS where you are uncertain of the outcome. This way of thinking entails identifying this uncertainty, or risk, and determining if you need to take action to prevent bad outcomes or to capitalize on positive outcomes; these are risks and opportunities (essentially positive risk).
    • Improvement – Any improvement activities that you take to make the processes of your QMS better are preventive actions. The focus of the new requirements is for each company to find good ways that work for them to improve processes, rather than having the complicated preventive action system in place from previous versions of the ISO 9001 standard. If you have something as simple as a suggestion program that identifies how to make processes better and implements those changes, this could be an action to prevent a problem.

    It should be noted that some other standards based on the ISO 9001 standard, including ISO 13485 and IATF 16949, still require preventive actions. In both of these standards, the preventive action process is still intended to be the systematic process to address identified potential issues, rather than the improvement activities mentioned above.

    You can learn more about how risk-based thinking is replacing preventive action in the ISO 9001:2015 standard in this article: Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits.


    How do you do corrective and preventive action?

    The systematic process for CAPA has not really changed in the ISO 9001:2015 standard, and it is essentially the same in all of the ISO management system standards. Corrective actions are about improving behavior or performance of the process, and this hasn’t changed. In general, you need to:

    1. Identify the process problem – Define what the problem actually is.
    2. Identify how big the problem is – What is the scope of the problem?
    3. Take action to contain the problem – How can we stop the problem while we fix the root cause?
    4. Identify the root cause of the problem – What is the base of the problem, not just the surface manifestation?
    5. Come up with a plan to fix the root cause – What do you need to change to eliminate the root cause? Make sure the planned changes will not cause further problems.
    6. Put your plan in place – Do what you have planned.
    7. Check that your plan worked – Make sure your plan was effective.

    Many companies will have a corrective action form that follows this process, or a modified process, to capture the information and ensure that you do not forget any steps. Having a good systematic process is important to find and fix the root of the problem for large, systemic issues within your organization. If you only treat the symptom, then the problem will come back. The goal of corrective actions is to correct the root of the problem, so the failure does not recur.

    For a better understanding of a common seven-step process for corrective actions that can apply to any ISO standard, see the article Seven Steps for Corrective and Preventive Actions to support Continual Improvement.

    What should a corrective action plan include?

    When you have identified the root cause of the problem, it is time to create a corrective action plan to eliminate it. The corrective action plan is about addressing the root cause of the problem, not simply correcting the symptom that has been found; correction may be part of the containment actions. For instance, adding in additional inspection may contain the process problem in the short term, but the corrective actions will stop the problem from occurring again.

    Some things to think about when preparing your corrective action plan include:

    • Fully assessing the root cause – Have we fully assessed the root cause, or could there be a further underlying cause to what has been identified?
    • Identify the steps needed – What are the steps needed to eliminate the root cause from the process?
    • Assess schedule & cost – What is the timeline of implementation? What are the cost and return on investment? Are there other alternatives that need to be assessed? Is this plan feasible?
    • Plan for assessment along the way – As you work through your plan, do you need to make changes? Assessing if the plan is working as you proceed can help to ensure that your final assessment for effectiveness will give authentic results.
    • Plan for assessment of effectiveness – Before starting on the plan, how will we know the changes actually worked? Will a key performance indicator improve? Will we have to wait for several months to ensure the problem doesn’t come back (which would mean we didn’t address the root cause)?

    As you can see, the corrective action plan is essentially equivalent to any other project plan you would create in your organization. It is important to set expectations for how long the plan will take, what resources will be required, and when you will be completely done with the corrective action. It is an important note that the ISO standards include a statement that the corrective actions taken should be appropriate to the significance of the effects presented by the nonconformities; so, it is not expected that you will spend an exceptional amount of time and money to address a small problem. Remember this when you assess the feasibility of the plan.

    You can learn more about the difference between correction and corrective action in the article: ISO 9001 – Difference between correction and corrective action.

    What is a preventive action plan?

    A preventive action plan, created for preventive actions, needs to include all of the same things that a corrective action plan does, as outlined above. If you are taking action to remove an identified risk, this should also be treated like a project, with the same adequate oversight and budgeting of resources.

    It is, of course, important to note that even a CA plan includes elements to prevent the problem from happening in the future. The distinction of the PA plan is that it is implemented proactively for a potential problem, rather than as a reaction to an existing problem.

    Why is corrective action important?

    When dealing with a systemic problem, one that is not due to a one-time mistake, but rather is caused because of something in the system, you can lose a lot of time and money by ignoring it. This is why corrective action is important. If people are performing unnecessary activities to continually fix problems that occur, or need to be constantly vigilant to catch problems that happen all the time before they go further, then you can save a lot of resources by taking the necessary actions to stop the problems from happening again. The CA process is part of the Quality Management System to save you time and money.

    It is important to note that one of the issues with the corrective action process is that it is difficult to use for small, non-systemic problems where a root cause is not able to be found. For this reason, the new ISO 9001:2015 standard (and others related to it, such as ISO 14001:2015 and ISO 45001:2018) has added into the requirements a decision after you have corrected the problem.

    Once you have fixed the problem that was found, you can determine the need to take action to eliminate the root cause of the nonconformity. If you determine this is not needed, such as for a one-time issue that shows no signs of recurrence, you can stop the corrective action process without going further. You will still want to follow up to ensure the problem does not recur and, if it does prove to be systemic, change your decision and take further actions.

    When should a leader take corrective action?

    Corrective action is about doing more than just fixing a small problem; it is about addressing a systemic issue that needs elimination rather than a small error that needs correction. So, a leader should take corrective action when a systemic problem has been found. Some ideas for things leaders should review to look for potential systemic issues include:

    • Key performance indicators (KPI) – Are there routine problems indicated by the performance indicators you have chosen? Do your KPIs show you that your processes are working properly?
    • Review of records – Do your records show regular problems that should be investigated, such as a cyclic delay that always happens on a certain date in the month?
    • Feedback from employees – If there are employee suggestions of issues they are continually resolving, do you need to investigate further?
    • Results of audits – Audits are used to point out where processes aren’t meeting planned requirements, and assessing these shortcomings could point out systemic problems. This includes internal audits and customer audits, as well as certification audits.

    For more on how a leader should react to a corrective action, see the article: How to proceed once a corrective action is initiated in the EMS.

    How do you implement corrective action?

    Implementing corrective action is as simple as following the plan you have identified. Perform each step you have identified, ensure it is completed satisfactorily, and assess that changes have not introduced new risks that you need to further address. Once again, thinking of your CA plan as a project plan can help you to understand how implementation should proceed.

    For implementation of a complex plan, you may want to use a Gantt chart to organize all of the activities, who will be doing them, and by when. This type of tool can also indicate which activities can occur in parallel, and which need to wait until other actions have taken place. Even if you choose another method to track your implementation, it is important to ensure that actions are identified with resources, timelines, and how complete they are.

    How do you write a corrective action report?

    As with any other report in an organization, the corrective action report can take whatever form is adequate in your company. Larger companies, with many people in top management, may want formalized reports for big corrective actions – as they would for any project. These reports may include executive summaries, detailed outcomes and expenses incurred, and evidence for effective closure. Others may simply include a completed CAPA form as the report.

    There are some requirements for records to be kept in the ISO management system standards, and this should be included as part of your report as a minimum. The ISO management system standards, such as ISO 9001:2015 or ISO 14001:2015, require that the following be kept as CA records:

    • The nature of nonconformities you have taken corrective actions for
    • The actions taken in the corrective actions
    • The results of the corrective actions, which would include the effectiveness

    Remember that the process is there to help you to save resources by removing larger systemic problems from your organization, rather than being a burden to your company. Make sure you implement a CAPA system that will work for you; not one that is just there for show. Removing problems can be one of the best ways to make your organization better.

    To learn more about how to use corrective actions for an internal audit, download this free white paper: How to perform an internal audit using ISO 19011.


    About the author:

    Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality, and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.

    If you enjoyed this article, subscribe for updates

    Improve your knowledge with our free resources on ISO 9001 standard.

    You may unsubscribe at any time.

    For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.