APG Guidance on Preventive Actions
Following is the copy of the APG Guidance document on PA:
1) Introduction
ISO 9000:2000 clause 3.6.4 defines preventive action as “action to eliminate the cause of a potential nonconformity or other undesirable potential situation”.
This can be considered as an action taken to prevent a nonconformity from happening. However, if there is no nonconformity to start with, and if the preventive action is effective, the status quo will be maintained. This raises the difficulty of auditing a process for which the desired output is to maintain the status quo.
There is often confusion about the differences between the terms i.e. correction, corrective action and preventive action (please refer to ISO 9000:2000 for their formal definitions), and also in relation to an organization's activities in respect of each of them.
Auditing an organization’s correction and corrective action processes is relatively straightforward, because the results and effectiveness of these processes are usually well defined (i.e. if the organization has already identified a nonconformity, it is relatively simple for an auditor to evaluate the process the organization used, or is planning to use, to correct it, and whether or not this will be effective in avoiding re-occurrence of the nonconformity); however, auditing preventive action processes is usually more complex.
2) Auditing Guidance
2.1) ISO 9001:2000 requires the organization to have a documented procedure for preventive action.
Note: The combination of corrective action and preventive action documented procedures into a single QMS document is acceptable, but is not recommended. If these are combined, then it is important for the auditor to verify that the organization understands clearly the difference between the intent of corrective and preventive actions.
2.2) The Standard requires this documented procedure to include:
a) How the organization determines potential nonconformities and their causes.
Typical examples include:
Trend analysis for process and product characteristics (output from the data analysis process). A worsening trend might indicate that if no action is taken, a nonconformity could occur.
Alarms to provide early warning of approaching "out-of-control" operating conditions.
Monitoring of customer perception, by both formal or informal feedback systems.
Analysis of trends in process capability, using statistical techniques.
Ongoing failure mode and effect analysis for processes and products (this is a requirement of TS 16949, for the automotive industry, for example).
Evaluation of nonconformities that have occurred in similar circumstances, but for other products, processes, or other parts of the organization, or even in other organizations.
Through planning activities for both predictable situations (e.g. due to expansion, maintenance, or personnel changes – see also ISO 9001, Clause 5.4.2b)) and for unpredictable situations (e.g. naturally occurring problems such as hurricanes, earthquakes, floods etc.)
ISO 9004:2000 clause 8.5.3 Loss prevention provides other examples (Note: this ISO 9004 guidance is not mandatory).
b) An evaluation of the need for preventive action.
Methods used in the evaluation could include:
Risk analysis approaches
Failure mode and effect analysis, as mentioned in (a) above.
(Note: neither of these specific approaches or methodologies are requirements of ISO 9001:2000.)
c) How the organization determines what action is required, and how it is implemented.
An auditor should look for evidence that:
the organization has analyzed the causes of potential nonconformities (use of cause and effect diagrams and other quality tools may be appropriate for this).
the required actions are deployed in all relevant parts of the organization, and in a timely manner
there are clear definitions of the responsibilities for the identification, evaluation, implementation and review of preventive actions
d) Records of the results of the actions taken
What records are kept?
Are they appropriate, and are they a true reflection of the results?
Are they being controlled in accordance with ISO 9001:2000 clause 4.2.4?
e) A review of the preventive actions taken
Were the actions effective (i.e. was a nonconformity prevented from occurring and were there any additional benefits)?
Is there a need to continue with the preventive actions the way they are?
Should they be changed, or is it necessary to plan new actions?
2.3) There is often significant “philosophical” discussion between the auditor and the organization about where corrective action ends, and where preventive action begins. For example, if a nonconformity is detected in process “A”, are actions taken to avoid future nonconformities in processes “B”, “C” and “D” preventive actions, or simply within the scope of the corrective actions taken for process ”A”? The auditor should avoid being “side-tracked” by these discussions, and concentrate on whether or not the actions were effective. The “labeling” of the actions taken is of secondary importance!
