ISO 9001: What Are Corrective and Preventive Actions?

Get Started Today

  • Customized certifications
  • Located nationwide
  • Save time & money
  • No extra or hidden fees
Request a Quote

When it comes to quality management, corrective and preventive actions are crucial activities. These concepts, often referred to as CAPA, help you address risks, refine processes, and drive continual improvement.

The requirements for corrective and preventive action can be found in most ISO management system standards, but they are most commonly associated with ISO 9001. This international standard contains the specifications for implementing and maintaining a QMS (Quality Management System).

It’s worth noting that ISO 9001:2015 replaced the term ‘preventive action’ with the concept of ‘risk-based thinking’, and this shift aligns with the fact that Annex SL now takes a more risk-based approach. However, while ‘preventive action’ has been removed in favor of a broader, risk-based thinking approach, which encompasses both preventive and proactive actions, the concept of corrective and preventive actions (CAPA) is still a critical strategic plank for most management systems.

By performing corrective and preventive actions, you can be confident that your QMS meets the standard’s specifications and that any existing or potential nonconformities are addressed.

what is corrective action - the role of risk assessments

What Is Corrective Action and How Does It Differ From Correction?

Corrective action eliminates the causes of undesirable situations, system failures, or nonconformities in your management system. It ensures that weaknesses in your policies or processes are addressed as soon as they’ve been identified and that they won’t reoccur. In contrast, corrective actions only eliminate the undesirable situation, failure, or nonconformity that was detected.

Although you will have taken reasonable steps to avoid these weaknesses when implementing your QMS, nonconformities may emerge over time—whether due to changes in the business environment, customer requirements, or internal factors.

Therefore, when a problem emerges, you need to act swiftly to determine the scale of the problem and take corrective action.

You must consider:

  • Does this weakness create an ongoing problem?
  • How can we prevent the weakness from getting worse?
  • How can we rectify the situation and prevent it from reoccurring?

An example of corrective action would be a software development company discovering that one of its products has a bug that is impacting customer satisfaction. It recognizes that the problem will persist unless it fixes the bug, so it issues a warning to notify users that they’re aware of the issue while its team works on a permanent solution and investigates what caused the bug. An initial correction may be issued in the form of a software patch. Once the cause(s) of the bug are determined the company will issue a permanent solution for the software and implement controls in their development process to prevent reoccurrence of the bug.

Learn more about the role that customers play in developing your QMS.

corrective and preventive actions - corrective action example

What Is Preventive Action?

Preventive action is another way to address nonconformities in your management system, but unlike corrective action, these measures occur before the weakness has emerged. It’s an ongoing activity, as you regularly monitor your QMS and consider:

  • What processes or components in our QMS might create nonconformities?
  • What’s the potential impact of these risks?
  • Is there anything we can do to stop this from happening?
  • What measures or processes do we have in place to monitor risk and potential failures of the QMS?

Although corrective and preventive action are both crucial elements in quality management, they serve different purposes. You can think of corrective action as reactive, correcting and preventing the reoccurrence of the weaknesses you’ve identified. By contrast, preventive action is proactive and prevents undesirable situations, system failures, or nonconformities from occurring in the first place.

The Importance of Corrective and Preventive Action

Corrective and preventive actions are essential processes for a successful QMS. They provide a systematic way to address weaknesses, which can help your operations run smoothly while avoiding additional costs, delays, and disruption.

Without these measures, it could take longer to spot problems—which could compromise the quality of the products and services you deliver, or result in nonconformities that could jeopardize your ISO 9001 certification status.

But as important as these measures are to ISO 9001, you won’t find the phrase ‘preventive action’ in the most recent version of the standard—or any other ISO management system. This is due to a change in Annex SL, which now takes a more risk-based approach.

As such, preventive action is no longer a specific requirement but is instead an overarching objective, and its principles should be embedded in the way the standard’s specifications are implemented and maintained.

This change is also reflected in AS9100, the aerospace industry’s quality management standard. However, other standards based on ISO 9001, such as ISO 13485 and IATF 16949, still include specific requirements for preventive action.

Discover more management system requirements with our guide to the ISO certification process.

corrective actions - team of works identify corrective actions

How to Perform Corrective Action

The corrective action process is consistent across all ISO management system standards. It offers a systemic way to identify problems in your operations and prevent them from recurring.

You can perform corrective action by completing the following steps:

Define the problem

To correct a weakness in your QMS, you first need to understand what has gone wrong. You should describe the problem in detail, which at this stage will likely focus on the knock-on effects to your business. For example, you might document which services and operations have been disrupted and how this affects the quality of your output.

One of your primary objectives is to determine whether it’s a genuine and ongoing problem that jeopardizes your conformity with ISO 9001. If it’s a minor error or a false alarm, you can make a quick adjustment without having to go through the entire corrective action procedure.

Establish an investigation team

After defining the problem, the next step is to assemble an investigation team to learn more about it. The team should be comprised of individuals familiar with your QMS and the specific area where the issue occurs. This might include department heads, quality managers, or IT personnel.

Their goal is to confirm the details of the problem and to perform triage. This is a preliminary assessment to determine the most urgent issues and the steps that should be taken to fix them.

Perform containment actions including correction

It could take your investigators some time to complete their assessment. In the meantime, they should implement any short-term solutions that can contain the damage and stop the problem from worsening.

For instance, they might isolate affected areas, suspend a specific operation, or notify customers and other stakeholders about the problem.

Identify the root cause

While part of your team focuses on containment action, the other members should focus on identifying the root cause. This will help you understand what exactly has gone wrong and ensure that you fix the issue properly rather than merely addressing the symptoms.

There are several techniques you can use here, such as:

Your goal is to delve into the problem until you reach its core. This is often more complex than it seems because what appears to be the root cause might be a knock-on effect of something else. It’s essential to keep analyzing until you isolate the place in the process where the weakness originates. It is also important to consider that many problems have more than one root cause in the following categories:

  • Occurrence root cause(s)—The direct cause(s) of the problem, such as what caused the problem to occur.
  • Detection root cause(s)—Cause(s) related to the failure of processes to detect the failure, such as why it went unnoticed.
  • System root cause(s)—What process or method system failed in the management system that allowed the failure to occur?

Plan and adopt corrective actions

The next stage is to implement corrective actions. You first need to plan these actions, which will depend on the nature of the incident and its root cause. Sometimes, the corrective action could be as simple as changing your procedures or updating your systems, but it could require more comprehensive work, such as investing in new equipment.

Before adopting any measures, you should ensure that you have the necessary support. This might mean confirming the plans with the department head or seeking approval from senior management.

With the plan in place, you should execute these actions and ensure they have been performed sufficiently. The investigation team should continue to monitor the corrective actions and confirm that the problem has been resolved.

Learn more about your implementation requirements with our ISO 9001 Checklist.

How To Perform Preventive Action

Preventive action is now embedded within the broader requirements for implementing a management system. As such, there are general activities you perform when establishing and maintaining your QMS to ensure that preventive action is considered rather than a standard checklist to complete.

The way your organization approaches preventive action will depend on the specific nature of your QMS, but in general, you should:

Identify potential problems

You should regularly monitor your QMS to identify ways that system failures or nonconformities could emerge. This could be done by analyzing operational data, customer complaints, or staff feedback.

Document procedures related to those activities

Developing and maintaining written procedures that outline how nonconformities are identified and prevented is essential. These documents might include processes for monitoring performance, assessing risks, or managing quality.

Audit your processes

Internal audits offer a comprehensive review of your QMS, looking at policies, processes, and activities related to your quality management. They test the system’s effectiveness and help you determine whether key personnel understand their requirements.

Perform staff training

Employees should know their role in maintaining conformity with your management system. Training can help them understand the importance of their tasks, follow procedures correctly, and identify potential issues before they escalate.

Conduct management reviews

Senior personnel should regularly review your internal audits, staff awareness training results, and policies to check your progress toward objectives. These reviews can identify any potential areas of nonconformity, assess the need for changes to the management system, and make informed decisions for continuous improvement.

The current version of ISO 9001 focuses on the use of risk-based thinking.

Get more guidance on risk-based thinking.

How Orion Certification Can Help

If you’re ready to implement ISO 9001, Orion Certification is here to help. Our team of expert auditors provides a range of services to support your implementation project. As an ANAB-accredited body, we’re authorized to perform certification audits against various management system standards.

Contact us today to get started.

Written by

Julian Russell

Get Started on Your Certification Journey Now

Your certification costs will depend on the size of your business, location, and the sector you’re in.