Complete guide to corrective action vs. preventive action

CAPA meaning

CAPA is an acronym for “corrective and preventive action.” Though these might sound similar, they are not the same. Let’s look at the differences in corrective vs preventive action.

Corrective and preventive action — What are the differences?

Both corrective action and preventive action are designed to address problems that can occur in a process. The difference between corrective action vs preventive action lies in the timing and the situation. Corrective actions (CA) take steps to fix the cause of a problem after the problem has occurred, whereas preventive actions (PA) involve noticing the problem before it occurs, and taking steps to address the cause of the problem — before it happens.

It is important to note that corrective and preventive action plans share many common elements, while the primary difference is the trigger for the action. Corrective actions are initiated in response to a specific, isolated incident, whereas preventive actions are driven by data analysis. Preventive actions address potential issues identified through trends or patterns in data, aiming to improve future performance. For example, if the defect rate last year was 2% and the goal for this year is to reduce it to 1.5%, failure to achieve this improvement would be considered a non-conformity, necessitating preventive measures.

Let’s look at the difference between corrective and preventive action in more detail.

Corrective action definition

The meaning of corrective action is the reactive process used to eliminate the cause of an existing process nonconformity. Rather than preventing a problem before it occurs, the corrective action process involves identifying a problem, getting it under control through containment actions, and then taking the action needed to stop it from happening again.

Preventive action definition

We can define preventive action as the proactive process of identifying potential problems that could happen in a process, assessing what could cause these problems, and then taking action to prevent each problem from occurring before it happens. In short, the preventive action process is designed to prevent a potential problem from occurring in the first place.

Corrective action and preventive action examples

Let’s look at some examples to help us better understand corrective action vs preventive action:

  • Corrective action – I hurt myself on a table. I find that the cause is the sharp corners on the table, so I take action to round the corners of the table so that no one else gets hurt. This includes the actions to change the design so that future tables will be made with rounded corners.
  • Preventive action – I notice that the sharp corners of a table could cut someone (even though no one has been injured), so I take action to round the corners and change the future table design to have rounded corners.

This is an example that uses a product problem, where CAPA in the management system normally involves process problems, but with this example it is easy to see the difference between preventive action vs corrective action.

As you can see in the chart below, the CAPA process figures prominently in several international standards and the management systems based on them — although corrective action has more recently become the focus, rather than preventive action.

Corrective Action vs. Preventive Action: A complete guide


Why do the recent ISO standards require corrective action and not preventive action?

The previous versions of ISO 27001, ISO 9001, ISO 14001, and other standards that align with Annex SL included requirements for a corrective action process and a preventive action process as part of the management system. The steps involved in both were essentially the same, but the action that triggered the process was different; corrective action reacted to a problem that occurred, where preventive action was initiated by the identification of a potential problem. There was often confusion about this when implementing earlier versions of these management systems; some people only used their preventive action process a few times, as it is a complex process and takes time away from reacting through corrective actions. Still other people interpreted any action taken during the corrective action process to prevent a recurrence to be preventive action.

The most recent release of the management system standards aligned with Annex SL, such as ISO 27001:2013, ISO 9001:2015, and ISO 14001:2015, no longer require preventive action. One reason could be that this prevents the confusion mentioned above; in addition, ISO has indicated that the complex process that was previously involved in PA is unnecessary, and there are other parts of the standard that, when used properly, can effectively provide good preventive actions. Now preventive action is replaced by other parts of the standard, including:

  • Risk-based thinking – This new requirement asks that you identify areas that could affect the management system, but where you are uncertain of the outcome. This way of thinking entails identifying this uncertainty, or risk, and determining if you need to take action to prevent bad outcomes or to capitalize on opportunities — essentially positive risk. In these newer standards, assessing top-level strategic risks and opportunities is part of the planning clause, clause 6.
  • Improvement – Any improvement activities taken to make the processes of your management system better are preventive actions. The focus of the new requirements is for each company to find effective ways to improve processes, rather than having the complicated preventive action system in place from previous versions of the standards. If you have something as simple as a suggestion program that identifies how to make processes better, and then implement those changes, this could be an action to prevent a problem.

It should be noted that some other standards based on the ISO 9001 standard, including ISO 13485 and IATF 16949, still require preventive actions. In both of these standards, the preventive action process is still intended to be the systematic process to address identified potential issues, rather than the improvement activities mentioned above.

You can learn more about how risk-based thinking is replacing preventive action in the ISO 9001:2015 standard in this article: Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits.

You can also read more on how Annex SL works in the article: Is ISO 45001:2018 compliant with Annex SL?

Complete guide to corrective action vs. preventive action - Advisera

Preventive action process

As mentioned, the preventive action process has been eliminated from most ISO standards; however, some quality management standards, such as IATF 16949 and ISO 13485, still require preventive actions. In general, the steps in the preventive action procedure include:

  1. Identify and describe the potential problem.
  2. Evaluate the potential risk and opportunity associated with the preventive action.
  3. Identify and document the root cause of the potential problem.
  4. Develop a preventive action plan to address the root cause and prevent the problem.
  5. Implement the preventive action plan.
  6. Follow up to ensure that the root cause was, in fact, eliminated.

What is a preventive action plan?

A preventive action plan needs to include all of the same things that a corrective action plan does, as outlined in the text below. If you are taking action to remove an identified risk, this should also be treated like a project, with the same adequate oversight and budgeting of resources.

Corrective action process

The systematic corrective action process is essentially the same in the newer ISO management system standards aligned with the ISO Annex SL format. Corrective actions are still about improving behavior or the performance of a process.

1) Identify the process problem. First, make sure the problem is, in fact, a real problem, and not just a perceived problem. A good test is if you can write the problem with a requirement to compare, what is often called a “Should Be” and “Is” statement (e.g.: Parts should be nickel plated; parts were received painted black). If you can’t say what the outcome should be (or is expected to be), then you may not have identified a real problem.

2) Identify how big the problem is. What is the scope of the problem? Is it just today’s product, or was yesterday’s product affected, too? Is it just this one product, or is it on more than one product? Make sure you know what the problem is — and, more importantly, what it is not. For example, if the problem only happens on Wednesdays, this may be important information.

3) Take action to contain the problem. How can you stop the problem while you fix the root cause? Make a correction that stops the problem in the short term, while you look for the ultimate cause and fix that. Basically, what immediate checks or stopgap measures are you putting in place to make sure that you will definitely catch the problem again if it recurs while you are fixing it?

4) Identify the root cause of the problem. How do you make sure you have found the underlying issue?  This is the trickiest part. There are many different ways to do this, from asking “Why” five times until you find the ultimate cause, to more difficult methods like a classic Ishikawa (or Fishbone) Diagram. Whole training courses have been dedicated to this topic, but suffice it to say that you want to try to identify the underlying problem, not just a surface problem. After this step, it is wise to make sure that your scope has not become bigger, making further containment actions necessary.


Fishbone Diagram Potential caues of the problem separated into six categories


5) Come up with a plan to fix the root cause. What do you need to change to eliminate the root cause? Here, depending on the problem, you will need to identify the cost and return on investment. How will it be funded (if it is a complicated and expensive fix), and who needs to approve the expense? Make sure the planned changes will not cause further problems. This is called a corrective action plan (we’ll go into further detail below).

6) Put your plan in place. This is as simple as following through on your plan and making it happen. It could be as straightforward as implementing the preventive maintenance program already described, or buying and installing a new piece of equipment because the old one could no longer keep the accuracy you need.

7) Check that your plan worked. Simply put, after you have made your updates, wait a suitable amount of time and make sure the problem doesn’t recur. If it does, you need to question if you got the actual root cause. This is the most important step, but also the step that most companies have trouble with. Often, people want to close out the paperwork quickly, or think the registrar requires closure early to demonstrate timeliness, but proper follow-up is essential.

Many companies will have a corrective action form that follows this process, or a modified process, to capture the information and ensure that they do not forget any steps. Having a systematic process is important to find and fix the root of the problem for large, systemic issues within your organization.

What is a corrective action plan?

The corrective action plan is a set of actions designed to eliminate the problem at its source.

Any time you have any nonconformity, you will be taking steps to correct it, but what you correct is the difference between a simple correction and a corrective action. With a correction, you will address the most obvious problem so that you can remove the nonconformity and make the process acceptable to continue while you look for the root cause.

Conversely, once you have investigated the causes of the problem until you understand the root cause, and then taken actions to correct this root cause so that the problem cannot recur, you have taken a corrective action.

Complete guide to corrective action vs. preventive action - Advisera

For instance, a correction, such as an additional inspection, may contain the process problem in the short term — but the corrective action will stop the problem from occurring again.

What should a corrective action plan include?

Some things to think about when preparing your corrective action plan include:

  • Fully assessing the root cause – How can we be sure that there is not a further underlying cause to what has been identified?
  • Assessing the risks and opportunities of the change
  • It has always been important to make sure that the changes you decide to make are not going to cause more problems. But, with the new version of the ISO standards, there is a requirement to address the risks and opportunities associated with a possible process change. For example, by making a process change to address a root cause, is there a risk that the output of the process will cause a problem further on in your business, or even at your customer’s site? If you have identified a good corrective action for one process, is there an opportunity for it to be put in place for other processes to prevent problems from occurring in the future?
  • Identifying the steps needed – What steps are needed to eliminate the root cause from the process?
  • Assessing schedule & cost – What is the timeline of implementation? What are the costs and potential return on investment? Are there other alternatives that need to be assessed? Is this plan feasible?
  • Plan for final assessment as you go – As you work through your plan, do you need to make changes? Assessing if the plan is working as you proceed can help to ensure that your final assessment for effectiveness will give authentic results.
  • Plan for assessment of effectiveness – Before starting on the plan, how will we know the changes actually worked? Will a key performance indicator improve? Will we have to wait several months to ensure that the problem doesn’t come back (which would mean we didn’t address the root cause)?

As you can see, the corrective action plan is essentially equivalent to any other project plan you would create in your organization. It is important to set expectations for how long the plan will take, what resources will be required, and when the corrective action will be complete. It is important to note that the ISO standards include a statement that the corrective actions taken should be appropriate to the significance of the effects presented by the nonconformities; so, it is not expected that you will spend an exceptional amount of time and money to address a small problem. Remember this when you assess the feasibility of the plan.

How do you implement corrective action?

Implementing corrective action is as simple as following the plan you have identified. Perform each step, ensure it is completed satisfactorily, and make sure that the changes have not introduced new risks that you need to address further. Once again, thinking of your corrective action plan as a project plan can help you to understand how implementation should proceed.

For implementation of a complex plan, you may want to use a Gantt chart to organize all of the activities, who will be doing them, and by when. This type of tool can also indicate which activities can occur in parallel, and which need to wait until other actions have taken place. Even if you choose another method to track your implementation, it is important to ensure that actions are identified with resources, timelines, and level of completion.

Complete guide to corrective action vs. preventive action - Advisera

Why is corrective action important?

When dealing with a systemic problem, one that is not due to a one-time mistake, you can lose a lot of time and money by ignoring it. If people are performing unnecessary activities to continually fix problems that occur, or if you need to be constantly vigilant to catch problems that happen all the time before they go further, then you can save a lot of resources by taking the necessary actions to stop the problems from happening again. The corrective action process is part of the Quality Management System to save you time and money.

It is important to note that one of the issues with the corrective action process is that it is difficult to use for small, non-systemic problems where a root cause cannot be found. For this reason, the new ISO 9001:2015 standard (and others related to it, such as ISO 14001:2015 and ISO 45001:2018) now requires a decision after you have corrected the problem.

Once you have fixed the problem that was found, you must decide on the need to take action to eliminate the root cause of the nonconformity. If you determine this is not needed, such as for a one-time issue that shows no signs of recurrence, you can stop the corrective action process there. You will still want to follow up to ensure that the problem does not recur, and, if it does prove to be systemic, change your decision and take further action.

Of course, it is important to remember that some other standards based on the ISO 9001 standard, including IATF 16949, have not made this change, and addressing the root cause is still required.

When should a leader take corrective action?

Corrective action is about doing more than just fixing a small problem; it is about addressing a systemic issue that needs elimination rather than a small error that simply needs correction. Leaders should review the following to look for potential systemic issues:

  • Key performance indicators (KPI) – Are there routine problems indicated by the performance indicators you have chosen? Do your KPIs show you that your processes are working properly?
  • Review of records – Do your records show regular problems that should be investigated, such as a cyclic delay that always happens on a certain day of the month?
  • Feedback from employees – If employees complain of issues they must continually resolve, do you need to investigate further?
  • Results of audits – Audits are used to point out where processes aren’t meeting planned requirements, and assessing these shortcomings could point out systemic problems. This includes internal audits and customer audits, as well as certification audits.

How do you write a corrective action report?

As with any other report in an organization, the corrective action report can take whatever form is adequate in your company. Larger companies, with many people in top management, may want formalized reports for big corrective actions — as they would for any project. These reports may include executive summaries, detailed outcomes, expenses incurred, and evidence for effective closure. Others may simply include a completed CAPA form as the report.

There are some requirements for records to be kept in the ISO management system standards, and this should be included as part of your report, at a minimum. The ISO management system standards based on Annex SL, such as ISO 27001:2013, ISO 22301:2019, ISO 9001:2015, and ISO 14001:2015, require the following to be kept as CA records:

  • The nature of nonconformities you have taken corrective actions for
  • The actions taken in the corrective actions
  • The results of the corrective actions, which would include the effectiveness

Remember that the process is there to help you to save resources by removing larger systemic problems from your organization, rather than being a burden to your company. Make sure you implement a CAPA system that will work for you, not one that is just there for show. Removing problems can be one of the best ways to make your organization better.

To learn more about how to use corrective actions for an internal audit, download this free white paper: How to perform an internal audit using ISO 19011

Advisera Mark Hammar

Mark Hammar

Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.
Read more articles by Mark Hammar