There is often a discussion between the auditor and the organization about where corrective action ends and where preventive action begins. For example, a non-conformance is detected in process 'A', are the actions taken to avoid possible non-conformances in processes 'B' and 'C' preventive actions, or simply within the scope of the corrective actions taken for process 'A'?
The auditor should avoid being side-tracked by such discussions and concentrate on whether or not the actions were effective. One of the difficulties in auditing a preventive action program is that some organizations don't understand the differences between corrective actions and preventive actions.
What is Corrective Action?
A corrective action should be considered as a reactive response since it is taken upon detection of a non-conformity. An organization will first correct or contain the problem and then determine its root cause so they can take corrective action to prevent its recurrence.
What is Preventive Action?
Preventive action should be considered as a proactive undertaking, e.g., when we anticipate a potential problem and take action to eliminate the possible causes and prevent the occurrence of the non-conformance. The best time to take preventive actions is early in the product cycle, e.g., performing Failure Mode Effects Analysis and conducting Design Reviews.
What is FMEA?
FMEA (Failure Mode and Effects Analysis) is a management activity intended to assess actual and potential problems, assign a risk factor and decide a course of action. This method is used in many industries such as automotive, medical device manufacturing, aerospace, and chemical processing.
FMEA is not a specific ISO 9001 requirement, however this approach satisfies ISO 9001 Para 8.5.3 Preventive Action.
Auditing Preventive Action
Auditing any preventive action program begins with a review of the preventive action procedure required by standard. The organization may choose to have corrective actions and preventive actions covered in the same documented procedure. This is acceptable as long as the requirements in both clause 8.5.2 and 8.5.3 are addressed.
The auditor must look for evidence that the organization has analyzed the causes of potential non-conformances, that the required actions are deployed in all relevant parts of the organization and that there are clear definitions of the responsibilities for the identification, evaluation, implementation and review of preventive actions.
When a potential problem is identified, organizations must determine the action needed to eliminate the causes of the potential non-conformance and thereby prevent its occurrence. However, the action taken must be proportionate to the effects of the problem.
In other words, it would be acceptable to not take a preventive action if the anticipated problem is unlikely to happen, would have little impact, and would be easily detected. If a potential problem is low risk, the business decision may be to not attempt to prevent it.
However, if there is a need, the organization must determine and implement the appropriate preventive action. Records must be kept of the results. The action taken must be reviewed to assess its effectiveness in preventing the potential problem.
The focus should be on correcting and preventing problems, preventing problems is generally cheaper than fixing them after they occur, start thinking about problems as opportunities to improve!
When auditing any preventive action program, find out how potential non-conformities are identified. If they aren't analyzing trends and looking for warning signs, they may be ignoring possible problems that could be avoided if only they were considered.
Examine the preventive action records to see if the organization is following their procedure. Find out how they identify causes and determine the appropriate actions. Review the results to see if their actions were effective in preventing the problems.
Problem correction and avoidance is relatively simple: define the problem, identify the cause and take action to remove it. Preventive action is specifically required by ISO 9001:2008 (Para. 8.5.3), and it provides one of the most valuable links to continual improvement.
Looking for preventive action advice and interpretation?
More ISO 9001 information at ISO 9001 Checklist.