Preventive Action From: ISO Standards Discussion Date: Fri, 29 Sep 2000 15:02:36 -0500 Subject: Re: Q: Preventive Action /Conley/Andrews From: eandrews@usffiltration.com Patti inquired (in part); > We don't understand just how > far we need to go with preventive actions: do they need to be > documented & approved by someone, & then followed-up on > for effectiveness (similar to corrective actions)? Or is it > sufficient just to document what "preventive action" situations > have taken place & file them for later management review?" Patti, I have also encountered external auditors that come in looking for an entirely separate system for the handling of "preventive actions". What I have done to steer them in the right direction (toward proper interpretation of the 'intent' of the ISO 900X requirement) is to show the auditor where in our system preventive actions are incorporated. The topmost place in any QMS system to illustrate the presence of preventive actions is the existence of the system itself. The fact that you have a working QMS that requires management to periodically analyze the effectiveness of the system (internal audit results, customer complaints, internal nonconformities, etc.) with an eye toward undesirable trends is in and of itself a preventive measure (management is after all reviewing this information in order to improve the system where needed and thereby PREVENTING future problems). This is just one area of your existing system that you can use to demonstrate "preventative actions". I am sure that there are other areas within your existing system (supplier evaluations, training, etc.) that you can use as well. Hope this is helpful to get the 'ole grey matter' going. Ethan Andrews ---------- snippo ---------------- From: ISO Standards Discussion Date: Fri, 29 Sep 2000 15:07:35 -0500 Subject: Re: Q: Preventive Action /Conley/Paten From: "Mike Paten" The only difference between preventive action and corrective action is that preventive action is taken based on potential failures and corrective action in response to an actual failure. Corrective action requires that you not only correct the problem but you also must identify actions that may prevent or reduce the likelihood of its recurrence. Preventive action requires that you identify actions that will prevent or reduce the likelihood of something bad happening the first time. Preventive action is normally a result of data analysis - i.e. a pareto analysis of customer complaints show most come from a single customer - or most relate to a specific product - that tells you that you might want to investigate further. Bottom line is that anything you do (that is not a direct result of a failure) is pretty much a preventive action. For example, if you know that you spend a lot of down time repairing old equipment because spare parts are hard to find - you might want to build up an inventory of long lead time or hard to get parts (maybe even used if they check out okay). Another example - if you have recently introduced a new product line you might want to develop/implement a training program that shows the whole "crew" the process at once - so everyone learns by observation how the process works and what operators should look for. Another example - you discover that your often overlooked third shift is comprised primarily of Americans of foreign descent who can't speak or read a word of English - hence your work instructions and process sheets are worthless - and the shift foreman can't speak or read a word of their native language. Although no current production problems exist, there's a good chance something will happen if you don't keep these people informed - so you might want to contact a local college and get a "translator" in to come in periodically and give them some training on recent production problems, improvements, etc. Okay, I could go on - but I won't. The thing that should drive preventive action is data. SPC itself is the perfect example. When key characteristics are tracked over time you can see when a process is going bad before it actually does - so you change that drill bit before it breaks, or make other process adjustments before out of spec conditions occur. Any initiative that sounds like prevention probably is prevention. The bottom line is - that when you only document actions taken in response to actual failures - then you have only documented corrective actions - just about everything else is prevention! Hope this makes sense - and helps. Mike Paten ---------- snippo ---------------- At our last surveillance audit our auditor noted we needed to document our preventive action better. This has always been a gray area for everyone I have talked with that deals with ISO 9000. Our auditor said that the current standard does a poor job explaining preventive action and he writes non-conformances often because companies don't understand it. He also said that the 2000 standard doesn't improve upon it much. I guess I have often been confused because any preventive action is usually "correcting" a flaw in our quality system. Our auditor couldn't give us a precise definition of preventive action but "knows it when he sees it." He said long term goals and projects tend to be preventive action and quick fixes tend to be corrective action. I'm wondering if anybody else has had concern for differentiating between corrective and preventive action? (Moderator’s Note: Yeah, let’s hear from the auditors out there on this one. What is your registrar’s policy on this?) Reply: Preventive action: Is when you examine data and information and make a decision on how to improve the system. This is often done in the Management Review process. Our ISO system documents a lot of preventive action in the Management Review files. Preventive action can also be documented in the Corrective action system. We use our Corrective & Preventive Action (CPAR) form to document Preventive Action requests. This puts the preventive action into a system where it can be tracked and followed up by a manager or internal auditor. The preventive action is then verified for it's effectiveness. Example of preventive action: Several years ago we categorized the number of customer complaints we received. A pareto chart was made and the number one category of complaint was caused by order entry problems. Order entry problems were due to incorrect information being put on bill-of-ladings, order acknowledgments, etc. (transcription errors mostly). Our ordering system was mostly manual input with people typing in the same information into different computer files or programs. We used this information to present to upper management to justify a computer system (database) that would eliminate a lot of double entry of data. Result was a new database system which has decreased our data entry errors and improved our ordering process system. Now we rarely have a problem that is caused by order entry mistakes. Other examples of Preventive Action: Capital expenditures, new product development. Reply: Thats a really good question, the first one I ever asked in auditor training........ okay, can't comment on our registrars policy (I will try though as he'll be visiting in a few weeks time) but as an internal Auditor in our company I define a Corrective action as an immediate plan to address a fault that has been identified, Preventative action is the long term measure implemented to prevent this fault from re-occurring. These get tracked either through being raised as a non conformances and tracked to closure (as explicit dates/time frames are set for their completion), or they get tracked to closure as action points from a meeting (with an individual assigned as responsible for making the action happen). This combined with the results from Senior management review of the Quality management system on a regular basis forms our Preventative and Corrective action strategy. As a note Our company is an outsourcing software house, so we are more likely to fix a fault in a product than remove it from production, maybe that is the difference in the strategy applied the results of a cost benefit analysis will (99% of the time) recommend a fix rather than a regeneration in our Quality system as the product is so inherently expensive. It may be that in a clear cut manufacturing system it may be more cost effective to reject a non conforming product than to fine tune the system to remove the source of the defect. the preventative action in this instance is rejected as it is contrary to business objectives and therefore that is an acceptable reason for ISO, as It is there to support your business function Reply: Corrective Action: An action taken to eliminate the causes of an existing nonconformity, defect or other undesirable situation in order to prevent recurrence. The Problem has occurred. Preventive Action: An action taken to eliminate the causes of a potential nonconformity, defect or other undesirable situation in order to prevent occurrence. A potential problem that has not occurred to date. A corrective action in one area/product line can be a preventive action in another area/product line Reply: Corrective Action is the immediate fix or resolution to a problem that has occurred. It is as simple as issuing credit, alerting operations, or changing instructions. Preventive action on the other hand is when the organization pauses for a minute, assesses a problem or potential problem from data that has been collected and formally assigns resources to solve a problem long term, in order to permanently fix the problem or potential problem. The best analogy I can come up with is someone says Hey! if our process produced a problem for this customer maybe we have the same problem with other customers too! It is just that other customers are tolerating it or did not bother to complain. Just because no one complains doesn't mean you do not have a problem. So what is the difference? Corrective action may or may not fix the problem. Corrective actions are usually band aids for today. Corrective actions are assessed in order to assign resources to take preventive action. Preventive actions are resource expenditures above and beyond the day to day corrective action activities. Easy to conceive difficult to implement. Most organizations do a good job of documenting and tracking corrective action activities. Organizations usually do a poor job of formally documenting and tracking resources they assign to solving significant problems. That is why there are discrepancies from an auditing perspective. When an organization assigns a person or a team, to solve a significant problem and collects data that supports that the change, improvement, or fix is permanent, they do not intuitively connect that activity to a formal preventive action or improvement process. Reply: Well, I guess we've come across an example of a poor auditor: writing non-conformances for something he cannot explain... Personally, I would not attach too much importance to the relative difference between preventive and corrective actions. I would say preventive actions are those aimed at detecting and eliminating potential causes of nonconforming product or failing processes while corrective actions correct all things gone wrong already (see also Hoyle, ISO 9000 Quality Systems Handbook, 2nd Edition). Continuous improvement is, however, the basic idea one should see behind preventive and corrective actions. As long as you can demonstrate that your operations are continuously and effectively improving using the relevant procedures that you put in place, albeit through preventive or corrective actions, a good auditor will understand that you captured the spirit of ISO 9000. Reply: Pro-active, Reactive... Preventative action is to recognize a weakness and create a solution before it becomes a problem. Using this definition is a manufacturing effort, to inspect product is reactive and does nothing to prevent the defect from occurring. That's just corrective action good only for the problem at the moment. This action costs money to support, and guarantees you will spend more money later because the defect that happened today will surely happen tomorrow. Preventative action is to catch the situation prior to or while it is happening; pro-active. What is considered now as the best pro-active method for monitoring manufacturing is Statistical Process Control. To catch a defect before it becomes a defect is truly manufacturing preventative action. Preventative action is not just confined to manufacturing. It is also something that should concern the manufacturing support departments and also need to be considered. In our company we stress Continuous Improvement. All processes, regardless of the department that uses them, must be reviewed at least on an annual basis and each must come up with ways to improve... that are measurable. The CA drive should also be managed in a cross-functional method so that as one department or group changes processes or thinking, other related departments are aware of the changes as they are being conducted. Preventative Action is a necessity if we want to be competitive on the world market. Believe this and win or don't believe this... and loose. Simple, and your choice. Reply: I don't know who the Reader's Auditor (or Registrar) is but I would suggest he/she is a very inexperienced one and clearly does not understand or cannot verbalize the difference. The response was lame at best. ISO 8402:1994, Quality Management and Quality Assurance -- Vocabulary, is quite clear and precise in it's definition of both corrective action and preventive action as follows: Corrective Action: (ISO 8402, para. 4.14) "Action taken to eliminate the causes of an existing nonconformity, defect or other undesirable situation in order to prevent recurrence". My emphasis on the key words "existing" and "re"currence. Preventive Action: (ISO 8402, para. 4.13) "Action taken to eliminate causes of a potential nonconformity, defect or other undesirable situation in order to prevent occurrence". My emphasis on the key words "potential" and "occurrence". Whereas corrective action generally deals with immediate issues, preventive action is taken when a potential nonconformity is identified as a result of analysis of records and other relevant sources of information, such as: · inspection and test records; · statistical process control documents; · observations during process monitoring; · customer complaints; or · internal and subcontractor sourced product, process and quality system information. Records relating to the product/service delivery should be analyzed regularly, to detect any trends and to identify areas of risk that may lead to potential non-conformities. The analysis should also determine the actions necessary to prevent any identified potential problems. Information on preventive actions taken is required as an integral part of the management review process, to maintain and improve the effectiveness of the quality system. Further guidance can be found in ISO 9000-2, ISO 9004-1. Reply: I'm not an auditor, only a lowly QA Manager, but I found ISO 9001:2000 (CD2 Section 8.5) to be fairly clear on the difference between corrective and preventive actions, although the wording is a bit long-winded! Corrective = stopping an actual non-conformance from recurring, eg by correcting a faulty process, training personnel. It is usually the result of analysing customer complaints, returned products, etc, and as such means that someone (an internal or external customer) has been dissatisfied. Preventive = preventing a non-conformance from occurring, ie by proactively spotting potential hazards and doing something about them before something actually goes wrong. This is usually down to more thoughtful design in the first place - possibly including a more representative sample of operators and end-users on the design and development team, and producing more prototypes for comparative studies. It should aim at preventing any internal or external customer dissatisfaction. Preventive actions may extend the design and development phase of a project/process, but usually save much time/money/hassle in the long term. My company has usually only done the corrective bit, but now we're moving into preventive mode. Hopefully this means that I won't have to wear my fireman's helmet so often !! Reply: I've been heavily involved with ISO since '91. Nothing has been poorly defined/interpreted than this clause. From one continuous assessment to the next; and from one registrar to another is like "hitting a moving target". I'm just waiting for a an auditor to say "I know it when I see it." Would a proper response to an Action Request be "Well, we know it when we see it?" Reply: As a former third-party auditor, the registrar I worked for provided training in this area for auditors. Corrective action is activity related to eliminating recurrence of a nonconformity. The nonconformity has already occurred and you are taking action to assure it does not happen again. An example of corrective action is when you manufacture an item, inspect it, find that it is non-conforming, then make process adjustments to eliminate recurrence of the same nonconformity. Preventive action is activity related to eliminating occurrence of a problem. An example of preventive action is when you manufacture an item, inspect it, plot the result on an SPC chart, and adjust the process based on a undesirable trend you observe on the chart (no nonconformity was produced, but if the process continued to drift without adjustment, nonc-onformities would be manufactured). Y2K remediation efforts are another example of preventive action since the problem (computer crashes due to correct year recognition) has not yet occurred. Reply: Here in the UK we like to believe that we audit systems and documentation with a clear view of the requirements, and then reach a conclusion based on the customer requirements and the information gathered. To tell a client that he has a problem, that the auditor is unable to adequately define, but is prepared to write a non-conformance report against is unprofessional and unacceptable. The inability of the auditor to explain his point to a reasonable auditee demonstrates the lack of skill of the auditor. We are not there to raise non-compliance forms but to assist the auditee to improve performance. My advice to the auditee and his employer is to remember that the registrar is a supplier providing a service, and as with all other services there are other suppliers ready and willing to satisfy his requirements without compromising audit standards. Reply: Differentiating between preventive and corrective action is a fundamental thing, covered by the four basic steps of Quality - (1) design for prevention, (2) control, (3) correction (4) drawing lessons. The two terms belong to different stages in the product life cycle. Also the correction stage deals with INDIVIDUAL PATTERNS OF FAILURE while prevention gives them (and others) a GENERIC CURE. I'm not an auditor, but have met the problem you are talking about. Unfortunately, firms in a process of ISO9000 registration tend to drop the real issue under the pressure of passing the registrar test. The way to satisfy the registrars and still do things the right way is to try having a fully covered documentation of prevention. In case the registrar is determined to go exactly by the book and reject the excessive procedures, you can move them out from the quality procedure book into the operation book. I suspect that the "gray area of prevention" results from the difficulty to figure out prevention in a QUANTITATIVE way. Prevention is an illusive thing to keep track of because it eliminates ahead its evidences. In other words, better you are at prevention, less you have anything to show for. This is why the quality concept that believes in "anything real is definable" has a hard time relating to prevention. I'm curious to know how the 2000 standard tackles this problem, since it seems like a deep shortcoming of the concept. Reply: As an Senior Auditor with nearly 7 years contracting experience with Certification Bodies / Registrars I would have to agree that your reader is correct, the true intent of PREVENTIVE ACTION is not well understood. - Corrective action is the REACTIVE process. Something has to vary from requirements before action is taken. - Preventative action is the PROACTIVE process. It includes all those actions taken to prevent a problem, defect, fault, failure in the product, process or systems of management before it ocurs. The key word in clause 4.14.3 / 8.5.3 of the ISO9001 standard and it application is "potential". If you consider preventative action from the above point of view and then look at ISO9001 again you will see what is intended. Sadly most people have been trained incorrectly since introduction of the ISO Standards in 1987 and the above interpretation has only recently been circulating as the accepted one. That interpretation was first introduced in 1994, soon after the release of the current version of the ISO9001 and published in a book written by the author of this reply. The enlightened Certification Bodies / Registrars are currently applying the above interpretation but the majority have yet to change their thinking. The ISO9001:2000 has done little to improved the interpretation but you should have a look the guidance provided by ISO:9004:2000 and at Figure A5 in the ISO9000:2000 (fundamentals and vocabulary) to better understand the intent of "nonconformity". We can look forward to many years of debate about the "preventive action" clause. This discussion moderated by the ISO 9000 Support Group at www.isogroup.simplenet.com. ---------- snippo ----------------