They set out the standard clause numbers under which the specific requirements of all management standards should be detailed.

These are (XXX is the appropriate Management System, such as “quality management”):

• Introduction
• 1. Scope
• 2. Normative references
• 3. Terms and definitions
• 4. Context of the organisation (with sub clauses covering 4.1 Understanding the organisation and its context, 4.2 Understaning the needs and expectations of interested parties, 4.3 Determining the scope of the management system, and 4.4 XXX management system)
• 5. Leadership (with sub clauses covering 5.1 General, 5.2 Management commitment, 5.3 Policy, 5.4 Organisational roles, responsibilities and authorities)
• 6. Planning (with sub clauses covering 6.1 Actions to address risks and opportunities, 6.2 XXX objectives and plans to achieve them)
• 7. Support (with sub clauses covering 7.1 Resources, 7.2 Competence, 7.3 Awareness, 7.4 Communication, 7.5 Documented information)
• 8. Operation
• 9. Performance evaluation (with sub clauses covering 9.1 Monitoring, measurement, analysis and evalaution, 9.2 Internal audit, 9.3 Management review)
• 10. Improvement (with sub clauses covering 10.1 Nonconformity and corrective action, 10.2 Continual improvement)

At first glance, preventive action seems to have disappeared. In fact it is still there but in Annex E where the use of common terms is management system standards is discussed.  It points out that the term “preventive action” deal with under dealing with nonconformities in some management system standards (ISO 9001:2008 is a good example) but in other standards (ISO 27001:2005 is an example) it is dealt with under risk management.

My own experience is that the close proximity of the terms ”corrective action”, “preventive action”, “occurrence” and especially “prevent recurrence” in the clause dealing with “corrective action” in ISO 9001:2008 has most people confused about the difference between “preventive” and “corrective” action. See here.

In ISO 9001:2008, preventive action is risk management – a preventive action is one take before something occurs – corrective action is taken after the event.

Following the standard clauses set out above, the guide has five annexes.

• Annex A gives further guidance on the standard clauses.
• Annex B provides general guidance on the use of common terms and definitions, concentrating on how they should be arranged.
• Annex C will provide a concept diagram of the common terms and definitions (and is blank in this draft of the guide).
• Annex D gives guidance on drafting and representing terms and definitions.
• Annex E defines the common terms used in management system standards.

It will be interesting to see how this guide is applied as the management system standards are revised. It should make the integration of management systems easier and the auditing and assessment of organisations where more than one management system standard is being operated easier, and less time consuming, to be carried out. 

The corrective action process is a problem-solving process and the preventive action process is a risk-analysis process.

Corrective action

Corrective action is defined in ISO 9000 as “action taken to eliminate the cause of a detected nonconformity or other undesirable potential situation” and notes that corrective action is taken to prevent recurrence. ISO 9000 also points out that corrective action differs from correction which is defined in ISO 9000 as “action to eliminate a detected nonconformity”. Put simply, if something has gone wrong then the action you take to fix that instance is correction. For example, if a part comes off the production line with a screw missing, then putting the missing screw back is correction. The action you take to stop it happening again is corrective action. Using the same example, making sure the correct number of screws are supplied for each part would be corrective action. It gets confusing when that is referred to as preventing a recurrence. In ISO 9000 terminology that action is not preventive.

Correction

There has to be a problem for you to take corrective action. If no problem exists but there is a possibility that a problem might occur, preventing that potential problem is preventive action.

Preventive action

Preventive action is defined in ISO 9000 as “action taken to eliminate the potential causes of a nonconformity or other undesirable potential situation”. ISO 9000 distinguishes preventive action from corrective action by noting that “preventive action is taken to prevent occurrence” as opposed to recurrence which characterises corrective action. In the example used above, planning the production of the part to ensure that all the screws are fitted would be preventive action.

A risk management process is a good example of preventive action. Assessing the impact and likelihood of a risk occurring and taking action to prevent occurrence is preventive action.

Other examples of methods for identifying potential nonconformities are:

• trend analysis for process and product characteristic (where a worsening trend indicates a potential problem)
• monitoring of customer feedback
• evaluation of problems in similar processes or products
• planning of new processes and products

Procedure RequirementsNote that in the above discussion, reference is made to ISO 9000 and not ISO 9001. ISO 9000 contains the concepts and terminology on which ISO 9001 is based and is essential reading to gain a full understanding of ISO 9001.

On the question of procedures, ISO 9001:2008 makes it clear that a procedure is required for corrective action and also a procedure is required for preventive action. But there is no stipulation that these should be separate documents (see the NOTE 1 under 4.2.1 in the standard). However, the combination of a corrective action procedure and a preventive action procedure into a single document is not recommended as it then becomes more difficult to clearly separate the two distinctly different approaches. You may also find it difficult to demonstrate to an external assessor that the processes are separate and that you actually perform both types of action.