Get 4 FREE months of Conformio to implement ISO 27001

Complete guide to corrective action vs. preventive action

What is a preventive action?

Preventive action is taken to fix the cause of a process problem before it can happen. In a management system, a preventive action (PA) definition could be: “the activities taken by the organization to eliminate the cause of a potential process nonconformity.” If you are identifying potential problems that could happen in a process, assessing what could cause these problems, and taking action to prevent the problem from occurring before it happens, then you are taking preventive action.

What is corrective action?

Corrective action (CA) is the activities taken to eliminate the cause of a process nonconformity. Corrective action is the activity of reacting to a process problem, getting it under control through containment actions, and then taking the action needed to stop it from happening again. Earlier versions of ISO 9001 made the distinction that CA will prevent recurrence of a problem, but PA will prevent the occurrence of the problem.

Corrective and preventive action examples

Corrective actions take steps to fix the cause of a problem after the problem has occurred, whereas preventive actions notice the problem before it occurs and takes steps to fix the cause of the problem before it happens.

Here is a simple corrective action and preventive action (CAPA) example:

  • Corrective action – I hurt myself on the corner of a table, find that the cause is that the table has sharp corners, and take action to make the table have rounded corners so that no one else gets hurt. This includes the actions to change the design so that future tables made will have rounded corners.
  • Preventive action – I notice that the corners of a table could cut someone (even though no one has been injured), then find that the cause is the sharp corners, and take action to round the corners and change the future design to have round corners.

This is an example that uses a product problem, where CAPA in the management system normally involves process problems, but with this example it is easy to see the difference between preventive actions and corrective actions. In short, corrective actions are reactive to a problem after it happens, where preventive actions are proactive to a potential problem before it can happen.

Corrective Action vs. Preventive Action: A complete guide

 

Why do the recent ISO standards require corrective action and not preventive action?

The previous versions of ISO 27001, ISO 9001, ISO 14001, and other standards that align with Annex SL included requirements for a corrective action process and a preventive action process as part of the management system. The steps involved in both were essentially the same, but the action that triggered the process was different; corrective action reacted to a problem that occurred, where preventive action was initiated by the identification of a potential problem. There was often confusion about this when implementing earlier versions of these management systems; some people only used their preventive action process a few times, as it is a complex process and takes time away from reacting through corrective actions. Still other people interpreted any action during the corrective action process to prevent a recurrence to be preventive action.

So, now the most recent release of the management system standards aligned with Annex SL, such as ISO 27001:2013, ISO 9001:2015, and ISO 14001:2015, don’t require preventive action any longer. In some ways, this prevents the confusion mentioned above, but in other ways, ISO has indicated that the complex process that was previously involved in PA is unnecessary, and there are other parts of the standard that, when used properly, can effectively provide good preventive actions. Now preventive action is replaced by other parts of the standard, including:

  • Risk-based thinking – This new requirement asks that you identify areas that could affect the management system where you are uncertain of the outcome. This way of thinking entails identifying this uncertainty, or risk, and determining if you need to take action to prevent bad outcomes or to capitalize on positive outcomes; these are risks and opportunities (essentially positive risk). In these newer standards, assessing top-level strategic risks and opportunities is part of the planning clause; clause 6.
  • Improvement – Any improvement activities that you take to make the processes of your management system better are preventive actions. The focus of the new requirements is for each company to find good ways that work for them to improve processes, rather than having the complicated preventive action system in place from previous versions of the standards. If you have something as simple as a suggestion program that identifies how to make processes better and implements those changes, this could be an action to prevent a problem.

It should be noted that some other standards based on the ISO 9001 standard, including ISO 13485 and IATF 16949, still require preventive actions. In both of these standards, the preventive action process is still intended to be the systematic process to address identified potential issues, rather than the improvement activities mentioned above.

You can learn more about how risk-based thinking is replacing preventive action in the ISO 9001:2015 standard in this article: Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits

You can also read more on how Annex SL works in the article: Is ISO 45001:2018 compliant with Annex SL?

Complete guide to corrective action vs. preventive action - Advisera

How do you do corrective and preventive action?

The systematic process for CAPA has not really changed in the newer ISO management system standards, which are aligned with the ISO Annex SL format. Corrective actions are about improving behavior or performance of the process, and this hasn’t changed. In general, you need to:

1) Identify the process problem – Define what the problem actually is. First, make sure the problem is, in fact, a real problem, and not a perceived problem. A good test is if you can write the problem with a requirement to compare, what is often called a “Should Be” and “Is” statement (e.g. Parts should be nickel plated, parts were received painted black). If you can’t say what the outcome should be (or is expected to be), then you may not have identified a real problem.

2) Identify how big the problem is – What is the scope of the problem? Make sure you understand how big the problem to be addressed is. Is it just today’s product, or was yesterday’s product affected too? Is it just this one product, or is it on more than one product? Make sure you know what the problem is, and more importantly, what it is not. If the problem only happens on Wednesday, this may be important information.

3) Take action to contain the problem – How can we stop the problem while we fix the root cause? Make a correction to stop the problem for right now while you look for the ultimate cause and fix that. Basically, what immediate checks or stop gap measures are you putting in place to make sure that you will definitely catch the problem again if it recurs while you are fixing it.

4) Identify the root cause of the problem – What is the base of the problem, not just the surface manifestation? This is the trickiest part. How do you make sure you have found the underlying issue? There are many different ways to do this, from asking “Why” five times until you find the ultimate cause, to more difficult methods like a classic Ishikawa (or Fishbone) Diagram. Whole training courses have been dedicated to this topic, but suffice it to say that you want to try to identify the underlying problem, not just a surface problem. After this step, it is wise to make sure that your scope has not become bigger, making further containment actions necessary.

Fishbone Diagram Potential caues of the problem separated into six categories

 

 

5) Come up with a plan to fix the root cause – What do you need to change to eliminate the root cause? Decide what steps are needed to eliminate the root cause of the problem. Here, depending on the problem, you will need to identify the cost and return on investment. How will it be funded (if it is a complicated and expensive fix), and who needs to approve the expense? Make sure the planned changes will not cause further problems.

6) Put your plan in place – Do what you have planned. This is as simple as following through on your plan and making it happen. It could be as simple as implementing the preventive maintenance program already described, or buying and installing a new piece of equipment because the old one could no longer keep the accuracy you need.

7) Check that your plan worked – Make sure your plan was effective. Simply put, after you have made your updates, wait a suitable amount of time and make sure the problem doesn’t recur. If it does, you need to question if you got the actual root cause. This is the most important step, but also the step that most companies have trouble with. Often, people want to close out the paperwork quickly, or think the registrar requires closure early to demonstrate timeliness, but proper follow-up is essential.

Many companies will have a corrective action form that follows this process, or a modified process, to capture the information and ensure that you do not forget any steps. Having a good systematic process is important to find and fix the root of the problem for large, systemic issues within your organization. If you only treat the symptom, then the problem will come back. The goal of corrective actions is to correct the root of the problem, so the failure does not recur.

What is a corrective action plan?

The corrective action plan is a set of actions to eliminate the problem. The corrective action plan is about addressing the root cause of the problem, not simply correcting the symptom that has been found.

Any time you have any nonconformity, you will be taking steps to correct the nonconformity, but what you correct is the difference between a simple correction and a corrective action. With a correction, you will address the most obvious problem so that you can remove the nonconformity and make the process acceptable to continue. This is a correction, which may be part of the containment actions.

Conversely, if you look at a problem that has resulted in a nonconformity, and investigate the causes of that problem until you understand the cause – which was the start of the chain that resulted in the nonconformity (known as the root cause) – and you take actions to correct this root cause so that it cannot happen again, you have taken a corrective action for the problem.

Complete guide to corrective action vs. preventive action - Advisera

For instance, adding in additional inspection may contain the process problem in the short term, but the corrective actions will stop the problem from occurring again.

What should a corrective action plan include?

When you have identified the root cause of the problem, it is time to create a corrective action plan to eliminate it. Some things to think about when preparing your corrective action plan include:

  • Fully assessing the root cause – Have we fully assessed the root cause, or could there be a further underlying cause to what has been identified?
  • Assess the risks and opportunities of the change – It has always been important to make sure that the changes you have decided to make are not going to cause more problems, but with the new version of the ISO standards there is a requirement to address the risks and opportunities that are present when you are going to make a change. For example, by making a process change to address a root cause, is there a risk that the output of the process will cause a problem further on in your business, or even at your customer’s site? If you have identified a good corrective action for one process, is there an opportunity that this can be put in place for other processes to prevent problems from occurring in the future?
  • Identify the steps needed – What are the steps needed to eliminate the root cause from the process?
  • Assess schedule & cost – What is the timeline of implementation? What are the cost and return on investment? Are there other alternatives that need to be assessed? Is this plan feasible?
  • Plan for assessment along the way – As you work through your plan, do you need to make changes? Assessing if the plan is working as you proceed can help to ensure that your final assessment for effectiveness will give authentic results.
  • Plan for assessment of effectiveness – Before starting on the plan, how will we know the changes actually worked? Will a key performance indicator improve? Will we have to wait for several months to ensure the problem doesn’t come back (which would mean we didn’t address the root cause)?

As you can see, the corrective action plan is essentially equivalent to any other project plan you would create in your organization. It is important to set expectations for how long the plan will take, what resources will be required, and when you will be completely done with the corrective action. It is an important note that the ISO standards include a statement that the corrective actions taken should be appropriate to the significance of the effects presented by the nonconformities; so, it is not expected that you will spend an exceptional amount of time and money to address a small problem. Remember this when you assess the feasibility of the plan.

What is a preventive action plan?

A preventive action plan, created for preventive actions, needs to include all of the same things that a corrective action plan does, as outlined above. If you are taking action to remove an identified risk, this should also be treated like a project, with the same adequate oversight and budgeting of resources.

It is, of course, important to note that even a CA plan includes elements to prevent the problem from happening in the future. The distinction of the PA plan is that it is implemented proactively for a potential problem, rather than as a reaction to an existing problem.

Why is corrective action important?

When dealing with a systemic problem, one that is not due to a one-time mistake, but rather is caused because of something in the system, you can lose a lot of time and money by ignoring it. This is why corrective action is important. If people are performing unnecessary activities to continually fix problems that occur, or need to be constantly vigilant to catch problems that happen all the time before they go further, then you can save a lot of resources by taking the necessary actions to stop the problems from happening again. The CA process is part of the Quality Management System to save you time and money.

It is important to note that one of the issues with the corrective action process is that it is difficult to use for small, non-systemic problems where a root cause is not able to be found. For this reason, the new ISO 9001:2015 standard (and others related to it, such as ISO 14001:2015 and ISO 45001:2018) has added into the requirements a decision after you have corrected the problem.

Once you have fixed the problem that was found, you can determine the need to take action to eliminate the root cause of the nonconformity. If you determine this is not needed, such as for a one-time issue that shows no signs of recurrence, you can stop the corrective action process without going further. You will still want to follow up to ensure the problem does not recur and, if it does prove to be systemic, change your decision and take further actions.

Of course, it is important to remember that some other standards based on the ISO 9001 standard, including ISO 13485 and IATF 16949, have not made this change to decide on the need to address root cause.

When should a leader take corrective action?

Corrective action is about doing more than just fixing a small problem; it is about addressing a systemic issue that needs elimination rather than a small error that needs correction. So, a leader should take corrective action when a systemic problem has been found. Some ideas for things leaders should review to look for potential systemic issues include:

  • Key performance indicators (KPI) – Are there routine problems indicated by the performance indicators you have chosen? Do your KPIs show you that your processes are working properly?
  • Review of records – Do your records show regular problems that should be investigated, such as a cyclic delay that always happens on a certain date in the month?
  • Feedback from employees – If there are employee suggestions of issues they are continually resolving, do you need to investigate further?
  • Results of audits – Audits are used to point out where processes aren’t meeting planned requirements, and assessing these shortcomings could point out systemic problems. This includes internal audits and customer audits, as well as certification audits.

How do you implement corrective action?

Implementing corrective action is as simple as following the plan you have identified. Perform each step you have identified, ensure it is completed satisfactorily, and assess that changes have not introduced new risks that you need to further address. Once again, thinking of your CA plan as a project plan can help you to understand how implementation should proceed.

For implementation of a complex plan, you may want to use a Gantt chart to organize all of the activities, who will be doing them, and by when. This type of tool can also indicate which activities can occur in parallel, and which need to wait until other actions have taken place. Even if you choose another method to track your implementation, it is important to ensure that actions are identified with resources, timelines, and how complete they are.

How do you write a corrective action report?

As with any other report in an organization, the corrective action report can take whatever form is adequate in your company. Larger companies, with many people in top management, may want formalized reports for big corrective actions – as they would for any project. These reports may include executive summaries, detailed outcomes and expenses incurred, and evidence for effective closure. Others may simply include a completed CAPA form as the report.

There are some requirements for records to be kept in the ISO management system standards, and this should be included as part of your report, at a minimum. The ISO management system standards based on Annex SL, such as ISO 27001:2013, ISO 22301:2019, ISO 9001:2015, or ISO 14001:2015, require that the following be kept as CA records:

  • The nature of nonconformities you have taken corrective actions for
  • The actions taken in the corrective actions
  • The results of the corrective actions, which would include the effectiveness

Remember that the process is there to help you to save resources by removing larger systemic problems from your organization, rather than being a burden to your company. Make sure you implement a CAPA system that will work for you; not one that is just there for show. Removing problems can be one of the best ways to make your organization better.

To learn more about how to use corrective actions for an internal audit, download this free white paper: How to perform an internal audit using ISO 19011

Advisera Mark Hammar

Mark Hammar

Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.
Read more articles by Mark Hammar