Featured Product
This Week in Quality Digest Live
Standards Features
Master Gage and Tool Co.
Why it matters for accurate measurements
Etienne Nichols
It’s not the job that’s the problem. It’s the tools you have to do it with.
Jón Bergsteinsson
Understanding the standard is essential
Stephanie Ojeda
The FDA’s new QMSR will harmonize with ISO 13485 for medical device quality management
Aymen Saidane
Addressing modern manufacturing challenges with advanced software

More Features

Standards News
Providing practical interpretation of the EU AI Act
Advanced Swiss CNC machining delivers precision for the tightest tolerances and specifications
Oct. 24–25, 2023, 8 a.m.–5 p.m. Eastern
Greater accuracy in under 3 seconds of inspection time
Showcasing the latest in digital transformation for validation professionals in life sciences

More News

Denise Robitaille


Preventive Action Is About Risk

It’s not a sequel to corrective action

Published: Monday, December 19, 2011 - 15:22

The ISO 9001 requirements pertaining to preventive action would get a lot more attention if people grasped the very simple fact that this is all about managing risk—which is really about managing the consequences of change. Whenever we change something, even for the better, there are consequences—ripples across the waters through which we navigate our quality management systems. Failure to anticipate the consequences of those changes is how we end up with bad things happening. Like the hapless rafter who is surprised by the rapids, our craft is buffeted and tossed. We get banged against partially hidden rocks, we lose our bearings, our provisions get lost in the swirl, and sometimes our vessel capsizes and we’re left adrift, at peril of going under.

Let’s briefly go back to ISO 9001, the standard for quality management system requirements from the International Organization for Standardization (ISO) and investigate the misconceptions surrounding this process. This ISO standard, along with regulatory requirements like the Food and Drug Administration’s (FDA) 21 CFR Part 820, has perpetuated the notion that preventive action follows corrective action. They’ve done this (perhaps unwittingly) by locating the two requirements adjacent to one another in their respective documents. In fact, in both documents, cited preventive action is situated after corrective action in the text, further compounding the misconception. In actuality, these two processes are only related to the extent that each utilizes some of the same investigative and project management tools for implementation. Any other similarity is not only wrong, it is also counterproductive. It diminishes the effectiveness of both processes by confusing the users.

Preventive action is about risk. It is not a sequel to corrective action. It comes first. The better job organizations do when conducting preventive actions, the fewer corrective actions they will have to deal with. We manage the consequences of change in order to mitigate risk.

ISO 9001 talks about addressing potential problems and their causes. It has language about determining potential problems and their probable causes, evaluating the need for action, implementing the action and reviewing actions taken to assess effectiveness. This is all swell, except it still leaves a lot of folks confused about where the potential problems and their causes are coming from.

Where are the data that feed this beast? Do we just meander willy-nilly through our processes looking for problems? It begins to border on paranoia.

How then can we bring sanity to this requirement? And, bear in mind, this is a requirement; it is not optional.

One of the first places to look for help is in ISO 9004—“Managing for the sustained success of an organization—A quality management approach.” Its subclause 9.3.5—“Planning innovation and managing risk,” states: “The organization should assess the risks related to planned innovation activities, including giving consideration to the potential impact on the organization of changes, and prepare preventive actions to mitigate those risks, including contingency plans, where necessary.” It clearly makes the links between change, risk, and preventive action. Other references to preventive actions are scattered throughout the document. But there is one other section that does an even better job of providing helpful guidance, even though it doesn’t specifically mention preventive action.

ISO 9004 subclause 4.4—“Interested parties,” discusses meeting the needs and expectations of interested parties. The text illuminates the value of monitoring interested parties due to the impact they can have on the organization. Interested parties include: customers, owners/shareholders, people in the organization, suppliers and partners, and society.

ISO 9004 notes the fact that different interested parties may have concerns and expectations that conflict. For example, the modern consumer may pine for the days of large-finned, gas-guzzling automotive behemoths. But the environment will no longer tolerate millions of carbon monoxide-belching vehicles. Balancing the needs and expectations of both parties means assessing the risks inherent in whatever action is taken and proceeding accordingly. The organization must then assess the situation and determine how best to address the needs and expectations in a balanced manner. Failure to adequately address the needs and expectation will inevitably result in some unpleasant consequence: loss of market share or government penalty.

The other thing to consider is that the needs and expectations may change over time. Risk is inherent whenever change is not managed. This results in an inability to mitigate problems that may ensue due to lack of vigilance—or simple wishful thinking.

ISO 9004 provides still more guidance that can be used to anticipate risk. In ISO 9004 section 6—“Resource management,” there is discussion of managing a variety of different resources such as suppliers, infrastructure, money, raw materials, and people. Risk accompanies any change to the quantity, quality, availability or cost of resources. Therefore, monitoring your resources is another opportunity to mitigate risk.

The language in ISO 9004 provides a significantly more concrete and useful guidance when it comes to initiating preventive action. It repeatedly talks about change and its consequences. So, if an organization wishes to implement effective and valuable preventive actions within its ISO 9001 quality management system, it should consider the wisdom found in ISO 9004.


About The Author

Denise Robitaille’s picture

Denise Robitaille

Denise Robitaille is the author of thirteen books, including: ISO 9001:2015 Handbook for Small and Medium-Sized Businesses.

She is chair of PC302, the project committee responsible for the revision to ISO 19011, an active member of USTAG to ISO/TC 176 and technical expert on the working group that developed the current version of ISO 9004:2018. She has participated internationally in standards development for over 15 years. She is a globally recognized speaker and trainer. Denise is a Fellow of the American Society for Quality and an Exemplar Global certified lead assessor and an ASQ certified quality auditor.

As principal of Robitaille Associates, she has helped many companies achieve ISO 9001 registration and to improve their quality management systems. She has conducted training courses for thousands of individuals on such topics as auditing, corrective action, document control, root cause analysis, and implementing ISO 9001. Among Denise’s books are: 9 Keys to Successful Audits, The (Almost) Painless ISO 9001:2015 Transition and The Corrective Action Handbook. She is a frequent contributor to several quality periodicals.