The International Standards require the organisation to have a documented procedure for preventive action. However, it is worth noting that the combination of corrective action and preventive action documented procedures into a single QMS document is acceptable, but is not recommended. If these are combined, then it is important for the auditor to verify that the organisation understands clearly the difference between the intent of corrective and preventive actions.
The standard requires this documented procedure to include various important points:
1. How the organisation determines potential nonconformities and their causes. Typical examples might include:
• trend analysis for process and product characteristics (output from the data analysis process)
• alarms to provide early warning of approaching ‘out-of-control’ operating conditions
• monitoring of customer perception, by both formal or informal feedback systems
• ongoing failure mode and effect analysis for processes and products (this is a requirement of TS 16949, for the automotive industry, for example)
• evaluation of nonconformities that have occurred in similar circumstances, but for other products, processes, or other parts of the organisation, or even in other organisations; through planning activities for both predictable situations (e.g. due to expansion, maintenance, or personnel changes – see also ISO 9001 (Quality Management Systems), Clause 5.4.2b)) and for unpredictable situations (e.g. naturally occurring problems such as hurricanes, earthquakes, floods etc.)
2. An evaluation of the need for preventive action. Methods used in the evaluation could include risk analysis approaches or failure mode and effect analysis (neither of these specific approaches or methodologies are requirements of ISO 9001 (Quality Management Systems).)
3. How the organisation determines what action is required, and how it is implemented. An auditor should look for evidence that:
• the organisation has analysied the causes of potential nonconformities (use of cause and effect diagrams and other quality tools may be appropriate for this)
• the required actions are deployed in all relevant parts of the organisation, and in a timely manner
• there are clear definitions of the responsibilities for the identification, evaluation, implementation and review of preventive actions
4. Records of the results of the actions taken;
• define what records are to be retained?
• are they appropriate, and are they a true reflection of the results?
• are they being controlled in accordance with ISO 9001 (Quality Management Systems) clause 4.2.4?
5. A review of the preventive actions taken
• were the actions effective (i.e. nonconformity prevented from occurring and were there any additional benefits)?
• is there a need to continue with the preventive actions the way they are?
• should they be changed, or is it necessary to plan new actions?
There is often significant ‘philosophical’ discussion between the auditor and the organisation about where corrective action ends, and where preventive action begins. For example, if nonconformity is detected in process A, are actions taken to avoid future nonconformities in processes B, C and D preventive actions, or simply within the scope of the corrective actions taken for process A? The auditor should avoid being side-tracked by these discussions, and concentrate on whether or not the actions were effective and from a professional viewpoint, such actions would inevitably be read-across other processes. The labeling of the actions taken is of secondary importance.