Chapter 6: Preventive Action vs. Corrective Action: Clearing Up the Most Misunderstood Concept in ISO 9001

This is where ISO 9001:2015 broke from 2008 in a way that still confuses plants in 2026.

In ISO 9001:2008, there was a separate Clause 8.5.3 for preventive action. The logic was straightforward: corrective action fixes what broke; preventive action stops problems before they happen. Two clauses, two processes, clear separation.

ISO 9001:2015 eliminated the preventive action clause entirely. It didn't disappear—it was absorbed into Clause 6.1: Risk-Based Thinking. The idea is that when you assess risks and opportunities across your quality management system (addressing product design, supplier management, process capability, staffing, equipment, etc.), you're *already* engaging in preventive thinking. You're asking: what could go wrong, and what do we do about it before it occurs?

This shift left many plants stuck with two questions:

1. *Do I need a separate preventive action process?*
2. *When do I raise a CAR versus updating my risk register?*

The answer depends on specificity and evidence.

• Raise a CAR (corrective action) when a nonconformance has already occurred and you need to address its causes and consequences. A nonconformance is factual; it happened.
• Update your risk register and implement preventive measures when you've identified a plausible risk that *could* occur but *hasn't yet*. Maybe your supplier just changed their injection molding setup, and you recognize a risk to wall thickness consistency. You implement additional incoming inspection, tighten your SPC limits, or request a Process Capability Study from the supplier. This is preventive—it stops a future nonconformance.
• Launch a process improvement or Kaizen project when you're optimizing a healthy process or exploring a strategic initiative. This lives outside the CAR/risk framework; it's business improvement, not nonconformance response.

The practical decision tree looks like this:

1. Did a nonconformance occur (produce scrap, disappoint a customer, violate a procedure, fail an audit)?

   - Yes → Raise a CAR. Follow Clause 10.2 fully. - No → Continue to step 2.

2. Did you identify a risk that could cause a nonconformance if unaddressed?

   - Yes → Document the risk, implement preventive controls, and update your Clause 6.1 risk register. - No → Continue to step 3.

3. Is this an improvement opportunity?

- Yes → Document it in your improvement pipeline and prioritize it.

The key insight: you don't need a separate "preventive action form." You need a robust risk assessment process (Clause 6.1) that feeds into your operational controls, supplier management, design reviews, and staff competency plans. When that process identifies a credible risk, you act on it—through whatever mechanism is appropriate (supplier audit, additional inspection step, design change, training emphasis, equipment upgrade). You document the risk, the action taken, and when you'll review effectiveness. That's preventive action.