Preventive Action

Preventive actions are pro-active – something could go wrong and these are actions taken to stop it from happening, or to stop it from becoming too severe.

If something has already gone wrong, it is a non-conformance that is addressed with corrective actions.

ISO 9001:2008 requires that you document your Preventive Action procedure (clause 8.5.3). You are also required to keep records on Preventive actions you’ve identified and the actions you took.

ISO 9001:2015 has no clause referring to ‘preventive action’. Instead, the concept is embedded in ‘risk-based thinking’ that is part of your planning processes (clause 6.1). There’s no requirement for a procedure, or even records*.

In order to identify risks that need preventive action, adequate monitoring and controls must be in place in the quality system to assure that potential problems are identified and eliminated before they happen. If something in the quality system indicates that a possible problem may develop, some action must be taken to avert it and then eliminate the potential situation.

You can identify opportunities for preventive action (or risks and opportunities) in a number of ways:

  • Through the management review process
  • Process / Performance monitoring
  • Analysis of warranty data and customer feedback for trends
  • Process analysis
  • Look for trends in the root causes of corrective actions
  • Risk assessment, FMEA (Failure Mode Effects Analysis) – i.e. what could go wrong and what would happen if it did)
  • Employee suggestions for improvement
  • Contingency planning, Disaster recovery planning.
  • Production planning
  • Monitoring changes in legislation, regulations,
  • Reviewing changes in the marketplace
  • Assessing new technology
  • Internal / External Quality Audit Findings
  • Employee Observation

Once you’ve identified a potential source of problems and the possible effects, you need to assess how likely it is to happen, and whether the costs associated with reducing the risk are worth it. This is effectively risk management.

If you are documenting a Preventive Action or ‘Managing Risk’ procedure, you should include information on:

  • How you identify a potential problem
  • Where and how it should be recorded
  • how the cause should be investigated, and by who
  • deciding on what action will be taken
  • how to record the actions taken
  • assessing the solution for effectiveness and documenting the evidence to support your decision.
  • when and who can finally close the issue

*Although there’s no explicit requirement to keep records under ISO 9001:2016 clause 6.1, you might decide that you ought to based on clause “4.4 QMS and its processes”, which states that you should “retain documented information” “to the extent necessary” to “have confidence that the processes are being carried out as planned”.

The records you keep on actions taken provide evidence that an effective quality system has been implemented and that it is able to anticipate, identify and eliminate potential problems.

If you decide to do nothing in response to an identified risk, be sure to document the reasons behind the decision.

Preventive actions are recorded in QSToolbox with “Issues”. Our user guide has more information on how QSToolbox helps you manage various kinds of issues, including preventive actions.