Article by Mark Hammar 13 min read
CAPA is an acronym for “corrective and preventive action.” Though these might sound similar, they are not the same. Let’s look at the differences in corrective vs preventive action.
Both corrective action and preventive action are designed to address problems that can occur in a process. The difference between corrective action vs preventive action lies in the timing and the situation. Corrective actions (CA) take steps to fix the cause of a problem after the problem has occurred, whereas preventive actions (PA) involve noticing the problem before it occurs, and taking steps to address the cause of the problem — before it happens.
It is important to note that corrective and preventive action plans share many common elements, while the primary difference is the trigger for the action. Corrective actions are initiated in response to a specific, isolated incident, whereas preventive actions are driven by data analysis. Preventive actions address potential issues identified through trends or patterns in data, aiming to improve future performance. For example, if the defect rate last year was 2% and the goal for this year is to reduce it to 1.5%, failure to achieve this improvement would be considered a non-conformity, necessitating preventive measures.
Let’s look at the difference between corrective and preventive action in more detail.
The meaning of corrective action is the reactive process used to eliminate the cause of an existing process nonconformity. Rather than preventing a problem before it occurs, the corrective action process involves identifying a problem, getting it under control through containment actions, and then taking the action needed to stop it from happening again.
We can define preventive action as the proactive process of identifying potential problems that could happen in a process, assessing what could cause these problems, and then taking action to prevent each problem from occurring before it happens. In short, the preventive action process is designed to prevent a potential problem from occurring in the first place.
Let’s look at some examples to help us better understand corrective action vs preventive action:
This is an example that uses a product problem, where CAPA in the management system normally involves process problems, but with this example it is easy to see the difference between preventive action vs corrective action.
As you can see in the chart below, the CAPA process figures prominently in several international standards and the management systems based on them — although corrective action has more recently become the focus, rather than preventive action.
The previous versions of ISO 27001, ISO 9001, ISO 14001, and other standards that align with Annex SL included requirements for a corrective action process and a preventive action process as part of the management system. The steps involved in both were essentially the same, but the action that triggered the process was different; corrective action reacted to a problem that occurred, where preventive action was initiated by the identification of a potential problem. There was often confusion about this when implementing earlier versions of these management systems; some people only used their preventive action process a few times, as it is a complex process and takes time away from reacting through corrective actions. Still other people interpreted any action taken during the corrective action process to prevent a recurrence to be preventive action.
The most recent release of the management system standards aligned with Annex SL, such as ISO 27001:2013, ISO 9001:2015, and ISO 14001:2015, no longer require preventive action. One reason could be that this prevents the confusion mentioned above; in addition, ISO has indicated that the complex process that was previously involved in PA is unnecessary, and there are other parts of the standard that, when used properly, can effectively provide good preventive actions. Now preventive action is replaced by other parts of the standard, including:
It should be noted that some other standards based on the ISO 9001 standard, including ISO 13485 and IATF 16949, still require preventive actions. In both of these standards, the preventive action process is still intended to be the systematic process to address identified potential issues, rather than the improvement activities mentioned above.
You can learn more about how risk-based thinking is replacing preventive action in the ISO 9001:2015 standard in this article: Risk-based thinking replacing preventive action in ISO 9001:2015 – The benefits.
You can also read more on how Annex SL works in the article: Is ISO 45001:2018 compliant with Annex SL?
As mentioned, the preventive action process has been eliminated from most ISO standards; however, some quality management standards, such as IATF 16949 and ISO 13485, still require preventive actions. In general, the steps in the preventive action procedure include:
A preventive action plan needs to include all of the same things that a corrective action plan does, as outlined in the text below. If you are taking action to remove an identified risk, this should also be treated like a project, with the same adequate oversight and budgeting of resources.
The systematic corrective action process is essentially the same in the newer ISO management system standards aligned with the ISO Annex SL format. Corrective actions are still about improving behavior or the performance of a process.
1) Identify the process problem. First, make sure the problem is, in fact, a real problem, and not just a perceived problem. A good test is if you can write the problem with a requirement to compare, what is often called a “Should Be” and “Is” statement (e.g.: Parts should be nickel plated; parts were received painted black). If you can’t say what the outcome should be (or is expected to be), then you may not have identified a real problem.
2) Identify how big the problem is. What is the scope of the problem? Is it just today’s product, or was yesterday’s product affected, too? Is it just this one product, or is it on more than one product? Make sure you know what the problem is — and, more importantly, what it is not. For example, if the problem only happens on Wednesdays, this may be important information.
3) Take action to contain the problem. How can you stop the problem while you fix the root cause? Make a correction that stops the problem in the short term, while you look for the ultimate cause and fix that. Basically, what immediate checks or stopgap measures are you putting in place to make sure that you will definitely catch the problem again if it recurs while you are fixing it?
4) Identify the root cause of the problem. How do you make sure you have found the underlying issue? This is the trickiest part. There are many different ways to do this, from asking “Why” five times until you find the ultimate cause, to more difficult methods like a classic Ishikawa (or Fishbone) Diagram. Whole training courses have been dedicated to this topic, but suffice it to say that you want to try to identify the underlying problem, not just a surface problem. After this step, it is wise to make sure that your scope has not become bigger, making further containment actions necessary.
5) Come up with a plan to fix the root cause. What do you need to change to eliminate the root cause? Here, depending on the problem, you will need to identify the cost and return on investment. How will it be funded (if it is a complicated and expensive fix), and who needs to approve the expense? Make sure the planned changes will not cause further problems. This is called a corrective action plan (we’ll go into further detail below).
6) Put your plan in place. This is as simple as following through on your plan and making it happen. It could be as straightforward as implementing the preventive maintenance program already described, or buying and installing a new piece of equipment because the old one could no longer keep the accuracy you need.
7) Check that your plan worked. Simply put, after you have made your updates, wait a suitable amount of time and make sure the problem doesn’t recur. If it does, you need to question if you got the actual root cause. This is the most important step, but also the step that most companies have trouble with. Often, people want to close out the paperwork quickly, or think the registrar requires closure early to demonstrate timeliness, but proper follow-up is essential.
Many companies will have a corrective action form that follows this process, or a modified process, to capture the information and ensure that they do not forget any steps. Having a systematic process is important to find and fix the root of the problem for large, systemic issues within your organization.
The corrective action plan is a set of actions designed to eliminate the problem at its source.
Any time you have any nonconformity, you will be taking steps to correct it, but what you correct is the difference between a simple correction and a corrective action. With a correction, you will address the most obvious problem so that you can remove the nonconformity and make the process acceptable to continue while you look for the root cause.
Conversely, once you have investigated the causes of the problem until you understand the root cause, and then taken actions to correct this root cause so that the problem cannot recur, you have taken a corrective action.
For instance, a correction, such as an additional inspection, may contain the process problem in the short term — but the corrective action will stop the problem from occurring again.
Some things to think about when preparing your corrective action plan include:
As you can see, the corrective action plan is essentially equivalent to any other project plan you would create in your organization. It is important to set expectations for how long the plan will take, what resources will be required, and when the corrective action will be complete. It is important to note that the ISO standards include a statement that the corrective actions taken should be appropriate to the significance of the effects presented by the nonconformities; so, it is not expected that you will spend an exceptional amount of time and money to address a small problem. Remember this when you assess the feasibility of the plan.
Implementing corrective action is as simple as following the plan you have identified. Perform each step, ensure it is completed satisfactorily, and make sure that the changes have not introduced new risks that you need to address further. Once again, thinking of your corrective action plan as a project plan can help you to understand how implementation should proceed.
For implementation of a complex plan, you may want to use a Gantt chart to organize all of the activities, who will be doing them, and by when. This type of tool can also indicate which activities can occur in parallel, and which need to wait until other actions have taken place. Even if you choose another method to track your implementation, it is important to ensure that actions are identified with resources, timelines, and level of completion.
When dealing with a systemic problem, one that is not due to a one-time mistake, you can lose a lot of time and money by ignoring it. If people are performing unnecessary activities to continually fix problems that occur, or if you need to be constantly vigilant to catch problems that happen all the time before they go further, then you can save a lot of resources by taking the necessary actions to stop the problems from happening again. The corrective action process is part of the Quality Management System to save you time and money.
It is important to note that one of the issues with the corrective action process is that it is difficult to use for small, non-systemic problems where a root cause cannot be found. For this reason, the new ISO 9001:2015 standard (and others related to it, such as ISO 14001:2015 and ISO 45001:2018) now requires a decision after you have corrected the problem.
Once you have fixed the problem that was found, you must decide on the need to take action to eliminate the root cause of the nonconformity. If you determine this is not needed, such as for a one-time issue that shows no signs of recurrence, you can stop the corrective action process there. You will still want to follow up to ensure that the problem does not recur, and, if it does prove to be systemic, change your decision and take further action.
Of course, it is important to remember that some other standards based on the ISO 9001 standard, including IATF 16949, have not made this change, and addressing the root cause is still required.
Corrective action is about doing more than just fixing a small problem; it is about addressing a systemic issue that needs elimination rather than a small error that simply needs correction. Leaders should review the following to look for potential systemic issues:
As with any other report in an organization, the corrective action report can take whatever form is adequate in your company. Larger companies, with many people in top management, may want formalized reports for big corrective actions — as they would for any project. These reports may include executive summaries, detailed outcomes, expenses incurred, and evidence for effective closure. Others may simply include a completed CAPA form as the report.
There are some requirements for records to be kept in the ISO management system standards, and this should be included as part of your report, at a minimum. The ISO management system standards based on Annex SL, such as ISO 27001:2013, ISO 22301:2019, ISO 9001:2015, and ISO 14001:2015, require the following to be kept as CA records:
Remember that the process is there to help you to save resources by removing larger systemic problems from your organization, rather than being a burden to your company. Make sure you implement a CAPA system that will work for you, not one that is just there for show. Removing problems can be one of the best ways to make your organization better.
To learn more about how to use corrective actions for an internal audit, download this free white paper: How to perform an internal audit using ISO 19011
