Preventive Action ≠ Risks and Opportunities?

While not mentioned in the original ISO 9001:1987, the term “preventive action” was introduced into ISO 9001:1994. Intended to be a simplistic, yet formalized proactive approach toward addressing “risks”, the new term created a great deal of confusion. This was primarily because the term wasn’t defined in the standard - and users rarely purchased ISO 8402:1994, “Quality management and quality assurance–Vocabulary”.

The Definition
With the release of ISO 9001:2000, ISO 8402 was renumbered and renamed to ISO 9000:2000, “Quality management systems–Fundamentals and Vocabulary”. The definition of “preventive action” is still present in ISO 9000:2015, and has remained unchanged since 1994 as:

action to eliminate the cause of a potential nonconformity or other potential undesirable situation

Note 1 to entry: There can be more than one cause for a potential nonconformity.
Note 2 to entry: Preventive action is taken to prevent occurrence whereas corrective action is taken to prevent recurrence.

Despite repeated and continued efforts by quality professionals (such as shown below), users continued to confuse corrective action (reactive) with preventive action (proactive).

Compounding the confusion, some organizations decided to use the same form for both corrective and preventive action (CAPA).

In ISO 9001:2015 the requirement for “preventive action” had been removed. And many people incorrectly viewed the concept as having been replaced with the more expanded of “risks and opportunities” (in section 6.1). Instead, “risks and opportunities” were to be considered during the planning. This becomes obvious when reading the requirement:

6.1 Actions to address risks and opportunities
6.1.1 When planning for the quality management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed to:
a) give assurance that the quality management system can achieve its intended result(s);
b) enhance desirable effects;
c) prevent, or reduce, undesired effects;
d) achieve improvement.

Upon reading ISO 9001:2015, take note that it repeatedly uses the term “risks and opportunities” as two separate concepts (in sections 4.4f, 5.1.2b, 6.1, 9.1.3e, 9.3.2e & 10.2.1e).

While not defined in ISO 9000:2015 or ISO 9001:2015, the term “risks and opportunities” is defined in ISO 14001:2015, “Environmental management systems — Requirements with guidance for use”.

ISO 14001:2015
3.2.11 risks and opportunities
potential adverse effects (threats) and potential beneficial effects (opportunities)

Interestingly, while a definition for “risk” was added to the ISO 9000:2015, “Quality management systems–Fundamentals and Vocabulary”, ISO chose not to include a definition for “opportunities”. Perhaps this is because ISO struggles with properly defining the word “risk” (Ref.: A Matter of "Risk"). Regardless of how ISO 9000:2015 defines “risk”, ISO 14001:2015 makes it clear that “risks” are “threats” (consistent with the etymology of the word). So, for the sake of simplicity, let's use the much better (more clear) definition contained in API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013), published by the American Petroleum Institute (API).

API Spec Q1
3.1.19 risk
Situation or circumstance that has both a likelihood of occurring and a potentially negative consequence.

Use of “Preventive Action”
The seconfd issue with “preventive action” was its use.

Technically, the answer is yes. However, most users fail to understand that, just as “corrective actions” are only applicable to nonconformities that have resulted from “assignable (special) cause variations”, “preventive actions” are ONLY applicable to theoretical “assignable (special) cause variations” that have NOT occurred. Consequently, “preventive actions” continue to be misused.

Partly because of this widespread misuse, many ISO 9001 and AS9100:2016 Certification Bodies (registrars) are encouraging their clients to eliminate use of the term “preventive action”.

Interestingly, while either ignoring their own definition of “preventive action” or ignoring the existence of “common cause variation” (typical of many followers of the “Zero Defects” concept), ISO JTCG N359, “JTCG Frequently Asked Questions in support of Annex SL” (dated 2013-12-03), explains why the concept of “Preventive Action” was removed from ISO 9001.

“JTCG Frequently Asked Questions in support of Annex SL”
10. Why does the common text not include a specific clause on “Preventive Action”?
The high level structure and identical text does not include a clause giving specific requirements for “preventive action”. This is because one of the key purposes of a formal management system is to act as a preventive tool. Consequently, a MSS requires an assessment of the organization’s “external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s)” in clause 4.1, and to “determine the risks and opportunities that need to be addressed to: assure the XXX management system can achieve its intended outcome(s); prevent, or reduce, undesired effects; achieve continual improvement.” in clause 6.1. These two sets of requirements are considered to cover the concept of “preventive action”, and also to take a wider view that looks at risks and opportunities.

However, this presents challenges because several other industry-specific standards specifically require “preventive action” to be included in the QMS. For example:

• ISO 13485:2016, “Medical Devices — Quality management systems — Requirements for regulatory purposes”
• ISO 17020:2012, “Conformity Assessment — Requirements for the operation of various types of bodies performing inspection” (Option A)
• AAR M-1003:2019, Section J, “Specification for Quality Assurance”
• API Spec Q1, "Specification for Quality Management System Requirements for Manufacturing Organizations for the Petroleum and Natural Gas Industry" (Ninth Edition, June 2013)

An organization can certainly continue to use “preventive actions” as a methodology within its ISO 9001:2015 or AS9100:2016 QMS. However, the only practical application of “preventive actions” would be for addressing ”assignable (special) cause variations“ identified in Statistical Control Charts.

Supporting this, there is nothing stated in either the ”ISO/TC 176/SC 2 Listing of Approved Interpretations against ISO 9001:2015“ or ”US TC 176 - TG22 - Interpretations“ forbidding or restricting use of the “preventive action” methodology. And ISO 9000:2015 continues to recognize “preventive action” as a legitimate methodology (Ref. ISO 9000:2015, sec. 3.12.1).