Understanding Preventive Action in CAPA Systems
When I delivered a webinar on CAPA (Corrective and Preventive Action) on May 25th, the most frequently asked questions were about “preventive action.”
The CAPA Response Hierarchy
In CAPA systems, responses to undesirable events follow a specific sequence: “immediate action,” “correction,” “corrective action,” and “preventive action.”
Let us consider a traffic fatality caused by drunk driving as an example:
Immediate Action: Provide first aid to injured persons.
Correction: Set up safety signs to prevent secondary accidents.
Corrective Action: Revoke the driver’s license to prevent recurrence.
Preventive Action: Enact dangerous driving causing death or injury laws to punish other behaviors that could lead to similarly tragic accidents.
Note: In international standards, “immediate action” is generally included within “correction” and is not distinguished as a separate category.
Common Misunderstandings of CAPA in Japan
Many companies in Japan misunderstand CAPA concepts. CAPA systems consist of seven distinct stages that must be properly understood and implemented.
Preventive Action as Risk Management
ISO 9001:2015 notably eliminated the separate clause for “preventive action.” The reason lies in the definition of preventive action itself:
“Action to eliminate the cause of a potential nonconformity or other potential undesirable situation.”
In this definition, a potential nonconformity refers to a problem that has not yet occurred—in other words, a risk. Therefore, “preventive action” is fundamentally equivalent to “risk management.”
The elimination of the separate preventive action clause does not mean preventive action is no longer required. Rather, ISO 9001:2015 integrated risk-based thinking throughout the entire quality management system, making risk management an inherent part of all processes.
The Mandatory Nature of Preventive Action
When corrective action is implemented, preventive action is mandatory.
In ISO 9001:2008 and ISO 13485:2016, “corrective action” and “preventive action” are distinguished in separate clauses. This distinction exists primarily to enable certification bodies to clearly identify whether audit findings relate to corrective action or preventive action during assessments.
It is important to note that while ISO 9001:2015 eliminated the separate preventive action clause, ISO 13485:2016 (the medical device quality management standard) retained it. This reflects the heightened regulatory requirements in the medical device industry, where explicit preventive action documentation remains essential for demonstrating proactive risk management.
In contrast, FDA regulations such as 21 CFR Part 820.100 use the term “Corrective and Preventive Action” without distinguishing between the two. This integrated approach reflects the understanding that effective corrective action inherently includes preventive elements.
Fundamentally, when corrective action is implemented, preventive action is mandatory. Historically, FDA inspections have emphasized corrective action, but there is now an increasing focus on preventive action—specifically risk management activities.
What Exactly Is Preventive Action?
During consultations and seminars, I consistently explain that “horizontal deployment is not preventive action—it is corrective action.”
So what exactly is preventive action?
Since preventive action is essentially risk management, it fundamentally involves properly identifying risks (problems that have not yet occurred) in relevant processes or products and controlling those risks proactively. While corrective action addresses past events (preventing recurrence of problems that have occurred), preventive action addresses future possibilities (preventing problems that have not yet occurred).
Let me illustrate with examples.
Example 1: Preventive Action Using Statistical Methods
Suppose a refrigerator temperature is set at 5°C (acceptable refrigeration range: 2°C to 8°C).
When measuring the temperature over time, you observe it reaches 6°C the next day and 7°C the day after. Logically, if this trend continues without intervention, the temperature will eventually exceed 8°C, resulting in a deviation from specifications.
In this scenario, beyond readjusting the temperature, you would investigate the root cause of the temperature increase. In the context of preventive action, this is referred to as the “potential cause.” Possible causes might include refrigerator deterioration over time, door seal integrity issues, frequent door opening and closing, or extended periods with the door open.
Since the temperature deviation has not yet occurred, this situation calls for preventive action rather than corrective action. This example demonstrates the proactive nature of preventive action—identifying trends and addressing potential failures before they manifest as actual problems.
Comparison Table: Corrective Action vs. Preventive Action
| Aspect | Corrective Action | Preventive Action |
| Timing | After problem occurs | Before problem occurs |
| Focus | Past event (reactive) | Future possibility (proactive) |
| Objective | Prevent recurrence | Prevent occurrence |
| Root Cause | Actual cause identified through investigation | Potential cause identified through risk analysis |
| Example | Fixing failed equipment and preventing same failure | Identifying trending data suggesting future failure |
| Regulatory Term | Often combined as CAPA in FDA regulations | Equivalent to risk management in ISO 9001:2015 |
Example 2: Addressing Other Root Causes That Lead to the Same Serious Outcome
As mentioned in the drunk driving fatality example at the beginning, preventive action involves punishing other behaviors that could lead to similarly tragic accidents.
In other words, preventive action investigates events that produce the same outcome but have different root causes.
For instance, causes of tragic traffic fatalities beyond drunk driving include driving under the influence of illegal drugs (dangerous drugs), aggressive driving, driving while extremely fatigued, or driving despite advanced age or serious medical conditions.
Investigating and preventing alternative root causes that lead to the same outcome as a problem that has already occurred constitutes one form of preventive action. In contrast, deploying the same root cause to other products or processes (horizontal deployment) is corrective action, not preventive action.
The Distinction Between Horizontal Deployment and Preventive Action
This distinction is crucial for proper CAPA implementation:
Horizontal Deployment (Corrective Action): When a problem occurs in Product A due to a specific root cause, applying the same corrective measures to Products B, C, and D that share the same root cause is corrective action. You are preventing recurrence of the same problem across similar contexts.
Preventive Action: When a problem occurs in Product A, investigating whether different root causes could lead to similar failures in Product A or other products represents preventive action. You are identifying and mitigating alternative risk pathways that could produce similar undesirable outcomes.
Regulatory Perspectives on Preventive Action
The regulatory landscape regarding preventive action varies across different frameworks:
FDA (21 CFR Part 820.100): Requires CAPA procedures to identify and correct problems and prevent their recurrence. The regulation integrates corrective and preventive action, emphasizing that both must be addressed systematically. Recent FDA guidance documents and Warning Letters increasingly emphasize the importance of risk-based preventive strategies.
ISO 13485:2016: Maintains separate requirements for corrective action (Clause 8.5.2) and preventive action (Clause 8.5.3), requiring organizations to document procedures for both. This explicit separation ensures medical device manufacturers maintain robust preventive systems.
ISO 9001:2015: Eliminated the separate preventive action clause, integrating risk-based thinking throughout the standard. Organizations must identify risks and opportunities and take actions to address them as part of their quality management system planning.
EU MDR (Medical Device Regulation 2017/745): Emphasizes post-market surveillance and vigilance systems that inherently require both corrective and preventive actions as part of the manufacturer’s quality management system.
Implementing Effective Preventive Action
To implement effective preventive action, organizations should:
Establish systematic risk identification processes using tools such as Failure Mode and Effects Analysis (FMEA), statistical process control, and trend analysis. Monitor leading indicators that may signal potential future problems before they manifest as actual failures. Conduct thorough risk assessments not only for identified issues but also for alternative scenarios that could produce similar undesirable outcomes. Document preventive actions with the same rigor as corrective actions, including verification of effectiveness. Integrate preventive action into the overall risk management framework, ensuring alignment with ISO 14971 (for medical devices) or similar risk management standards.
Conclusion
Preventive action is not merely an optional enhancement to corrective action—it is a mandatory component of an effective CAPA system. While the terminology and regulatory approaches may vary across different standards and jurisdictions, the fundamental principle remains constant: organizations must proactively identify and mitigate potential problems before they occur.
The shift from reactive problem-solving to proactive risk management represents a maturation of quality management thinking. By understanding preventive action as forward-looking risk management rather than simply as horizontal deployment of corrective actions, organizations can build more robust quality systems that prevent problems rather than merely react to them.
As regulatory authorities worldwide increasingly emphasize preventive approaches and risk-based thinking, mastering the concept and implementation of preventive action becomes not just a compliance requirement but a competitive advantage in delivering safe, effective products to the market.
Comment