Toughest ISO 9001:2000 Requirements (8.5.3)

In an earlier newsletter, I identified twelve ISO 9001:2000 clauses as the toughest requirements to interpret and implement.Clauses 4.1, 5.1, 5.4.1, 5.4.2, 6.2.2, 6.3, 7.3.1, 7.5.2, 8.2.1, 8.4, and 8.5.1 have been addressed in past newsletters. This article completes the list with clause 8.5.3, Preventive Action.. 

ISO 9001:2000, clause 8.5.3, states


The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be appropriate to the effects of the potential problems.

A documented procedure shall be established to define requirements for
a) determining potential nonconformities and their causes,
b) evaluating the need for action to prevent occurrence of nonconformities,
c) determining and implementing action needed,
d) records of the results of action taken (see 4.2.4), and
e) reviewing preventive action taken.   


Preventive action is defined by ISO 9000:2000, Fundamentals and Vocabulary, as the action taken to eliminate the cause of a potential nonconformity or other undesirable potential situation. As a result, the preventive action process is an important improvement activity. By taking preventive actions, you avoid potential problems and their adverse effect on your processes, products, and customer satisfaction.

A documented procedure shall be established … 

In ISO 9001:1994, clause 4.14 stated the need for a documented procedure for corrective and preventive action. As a result, many organizations had a single procedure addressing both types of action. Unfortunately, preventive action was not always clearly understood and often had inadequate or incorrect coverage.

Some organizations confused correction with corrective action, as well as, corrective action with preventive action. Forms would include fields for corrective action, followed by root cause and then preventive action. Of course, you can’t take corrective action until you know the cause. The listed corrective action was really the immediate fix or correction. When asked for examples of preventive action, organizations would point to the “preventive action” taken to keep the nonconformity from happening again, but that was really the “corrective action”. 

Remember that corrective action eliminates a detected problem and prevents it from repeating (avoids recurrence). Preventive action anticipates possible problems and prevents them from happening (avoids occurrence). As an example, a nonconformity found during an audit will result in corrective action. However, a trend analysis of past audit problems may indicate the need for preventive action.

ISO 9001:2000 has placed corrective and preventive action in unique clauses (8.5.2 and 8.5.3) and separately identifies the need for documented procedures. This doesn’t mean corrective and preventive actions can’t be covered in the same procedure, but it does emphasize the need to focus on their unique differences.

a) determining potential nonconformities and their causes

Preventive actions can be identified by monitoring performance trends. Clause 8.4.c states that the analysis of data must provide information on the characteristics and trends of processes and products, including opportunities for preventive action.  

Your organization should analyze data, such as:

  • attainment of specific quality objectives
  • levels and types of customer complaints
  • failure mode and effects analysis
  • product returns and warranty claims
  • internal and external audit reports
  • statistical process control results
  • recommended equipment service limits
  • capacity of machines and computer servers
  • sales trends and service reports
  • employee suggestion program
  • customer satisfaction survey results

If the data analysis indicates trends that may develop into potential problems, then preventive action should be considered to eliminate their possible causes. The agreed to actions should be assigned with completion due dates to the responsible process owners.

b) evaluating the need for action to prevent occurrence of nonconformities

Clause 8.5.3 states that preventive actions must be appropriate to the effects of the potential problems. In other words, your organization isn’t forced into taking actions that don’t make good business sense. Resources are limited. Although a trend may indicate potential problems, there may be higher priorities. The consequences of not taking action should be considered. The suspect trend could be monitored to ensure it doesn’t become more severe and warrant action.

c) determining and implementing action needed

The analysis of potential root causes may determine multiple possible actions. These potential approaches are evaluated and the best solution selected based on implementation risks and expected benefits.

d) records of the results of action taken 

When deciding on the preventive action in the prior step, remember to consider that the results must be reviewed. Ensure that records are kept for analysis purposes and as evidence of conformity with the requirements of clause 8.5.3.

e) reviewing preventive action taken   

The key to understanding this sub-clause is examine the word “review”. According to ISO 9000:2000, review is defined as the activity undertaken to determine the suitability, adequacy, and effectiveness of the subject matter to achieve the established objectives. So, reviewing doesn’t just verify that the action was taken, it judges the effectiveness of the action in preventing the potential problem.

ISO 9001:2000 emphasizes “planning” for the system, its resources, its processes, and the measurements necessary to evaluate performance. Part of this planning is to anticipate what might go wrong and try to prevent the occurrence of these potential problems. Preventive action requires a proactive approach. Also, the status of preventive actions must be covered at management reviews (according to clause 5.6.d).