Skip to content
CHANGEROUTE

Corrective Action and Preventive Action (CAPA): An ISO 9001 Guide for UK Manufacturers

What CAPA Means — and a Common Misconception

CAPA stands for Corrective Action and Preventive Action. It is a term most UK quality managers use daily, and it appears in customer requirements, supplier scorecards, and audit reports. But there is a common misconception worth clearing up first: ISO 9001:2015 does not contain a "preventive action" clause.

That surprises people, because the 2008 edition of ISO 9001 did. The 2008 standard had clause 8.5.3 "Preventive action" sitting alongside clause 8.5.2 "Corrective action". When the standard was revised in 2015, the standalone preventive action clause was removed. It was not removed because prevention stopped mattering — it was removed because the entire 2015 standard was rebuilt around risk-based thinking, which makes prevention a continuous, built-in activity rather than a separate reactive procedure.

So under ISO 9001:2015:

  • Corrective action is an explicit requirement — clause 10.2, "Nonconformity and corrective action".
  • Preventive action is no longer a named clause. Its intent is achieved through risk-based thinking, principally clause 6.1 ("Actions to address risks and opportunities") and built into the way the whole QMS is planned.

CAPA remains a perfectly good practical term, and many UK manufacturers keep a "CAPA process" because customers and their own habits expect it. What matters for audit is that you understand which part of CAPA maps to an explicit ISO 9001:2015 requirement (corrective action) and which part is met through risk-based thinking (preventive action). An auditor will not fault you for having a CAPA procedure; they may fault you for claiming preventive action is "required by clause 8.5.3" — that clause no longer exists.

Correction vs Corrective Action: The Distinction Auditors Test

Before going further, one more distinction that auditors check constantly, because getting it wrong is the single most common corrective action finding.

  • Correction is the immediate fix to the problem in front of you. You scrap the bad part, rework the batch, or replace the rejected shipment. Correction deals with the symptom.
  • Corrective action addresses the cause so the problem does not happen again. It targets the system, not the individual occurrence.

Replacing 200 rejected parts is correction. Changing the work instruction, retraining the operators, and adding a poka-yoke so the parts cannot be made wrong again is corrective action. ISO 9001:2015 clause 10.2 requires both — react and correct, then evaluate the need to eliminate the cause.

This is also where many non-conformance reports fall down: they record the correction ("parts reworked") and stop, with no corrective action and no verification that the cause was addressed.

What ISO 9001:2015 Clause 10.2 Requires

Clause 10.2 is split into two parts.

10.2.1 sets out what to do when a nonconformity occurs, including one arising from a customer complaint. The organisation must:

  • React to the nonconformity — take action to control and correct it, and deal with the consequences
  • Evaluate the need for action to eliminate the cause(s), so the nonconformity does not recur or occur elsewhere — by reviewing and analysing the nonconformity, determining its causes, and determining whether similar nonconformities exist or could occur
  • Implement any action needed
  • Review the effectiveness of the corrective action taken
  • Update the risks and opportunities determined during planning, if necessary
  • Make changes to the quality management system, if necessary

10.2.2 sets out the records: the organisation must retain documented information as evidence of the nature of the nonconformities and any subsequent actions taken, and of the results of any corrective action.

A key phrase in 10.2.1 is that corrective actions must be "appropriate to the effects of the nonconformities encountered." This is the proportionality principle — a minor non-conformance needs a proportionate, lightweight response; a major or safety-related one needs a thorough investigation.

A Practical CAPA Process for an SME

Here is a corrective action process a UK manufacturing SME can run without specialist software. It satisfies clause 10.2 and uses the proportionate, risk-based approach the standard expects.

Step 1: Capture and Contain

The corrective action process usually begins from a non-conformance report, a customer complaint, an audit finding, or a trend in the data. Record the correction (the immediate containment) first.

Step 2: Decide Whether Corrective Action Is Needed

Not every non-conformance needs a corrective action. A one-off, low-impact slip can be closed with a correction and a note. Clause 10.2.1 asks you to evaluate the need — that evaluation is itself a record. Open a corrective action when the issue is recurring, high-impact, customer-reported, or systemic.

Step 3: Find the Root Cause

This is where corrective action succeeds or fails. Use a root cause method matched to the problem — a quick 5 Whys for a simple linear cause, a fishbone diagram where several causes might contribute, or a full 8D investigation for a serious or customer-reported issue. Our root cause analysis comparison explains when to use each. "Operator error" is never a root cause — the root cause is why the error was possible.

Step 4: Define and Implement the Action

The corrective action must target the root cause, not the symptom. Typical actions: a procedure change, a work instruction update, training, a process control (such as in-process inspection or error-proofing), a supplier development action, or — where the cause is in the product or process design — an Engineering Change Request (ECR). Assign an owner and a target completion date.

Step 5: Verify Effectiveness

Clause 10.2.1 explicitly requires reviewing the effectiveness of the corrective action. Verification needs evidence — a re-inspection result, an audit outcome, or a KPI trend showing the problem has not recurred — not just a signature. This step is the most frequently missing or rubber-stamped one in SME corrective action records, and auditors look for it specifically.

Step 6: Update Risks and Close

Where the corrective action reveals a risk that was not previously identified, update your risk register or risk-based thinking output (the modern home of "preventive action"). Then close the record.

Where Preventive Action Lives Now

If preventive action is no longer a clause, where does it live in ISO 9001:2015? In three places:

  • Clause 6.1 — Actions to address risks and opportunities. This is the main home of preventive thinking: identifying what could go wrong and planning to prevent it before any non-conformance occurs.
  • Clause 10.2.1's "determine if similar nonconformities exist or could potentially occur." When you fix one problem, the standard asks you to check whether the same cause could bite elsewhere — that look-across is preventive in nature.
  • Clause 10.3 — Continual improvement. Analysis of trends and corrective action data feeds ongoing improvement, which prevents future problems.

In practice this means a good SME quality manager does not run a separate "preventive action" procedure. They build prevention into design reviews, Process FMEAs, risk assessments, and the look-across step of every corrective action.

Common CAPA Findings in UK Audits

UK certification body auditors regularly find the same corrective action weaknesses:

  • Correction recorded as corrective action — the parts were reworked, but the cause was never addressed
  • Root cause too shallow — "operator error" with no system-level cause
  • No effectiveness verification — the action was implemented but never checked
  • Corrective actions that never close — open for months with no progress
  • Claiming preventive action is a clause requirement — citing the obsolete 2008 clause 8.5.3

Avoiding these does not require software. It requires a quality manager who distinguishes correction from corrective action, drives root cause properly, and verifies effectiveness with evidence.

How ChangeRoute Fits

The corrective action loop and the engineering change loop are the same chain to an auditor: a non-conformance leads to a corrective action, and where the root cause is in the design or process, that corrective action becomes an engineering change. ChangeRoute links NCRs, corrective actions, and Engineering Change Requests into one traceable record — the NCR-to-CAPA-to-ECO trace UK certification bodies check at every surveillance audit.

If you run a UK manufacturing SME and want to spend less time managing corrective actions in spreadsheets and Word documents, join the waitlist for early access.

Sources

  • ISO 9001:2015 — Quality management systems — Requirements (clause 10.2 Nonconformity and corrective action; clause 6.1 Actions to address risks and opportunities; clause 10.3 Continual improvement). Available from ISO and BSI (paywalled).
  • ISO 9001:2008 — the prior edition, which contained the now-removed clause 8.5.3 Preventive action (superseded). Historical reference: ISO catalogue (withdrawn).
  • ISO/TC 176 — the ISO Technical Committee responsible for ISO 9001: iso.org/committee/53882

Ready to automate your change management workflow?

ChangeRoute replaces paper ECRs with a structured digital workflow. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy.

Related guides

Change Control Procedure for ISO 9001: A Practical Template for UK Manufacturers

How to write a change control procedure that satisfies ISO 9001:2015 clause 8.5.6. A step-by-step structure UK manufacturing SMEs can adopt, with the records auditors check.

Root Cause Analysis: 5 Whys vs Fishbone vs 8D — When to Use Each

A decision-support guide for UK manufacturers: when to use 5 Whys, a fishbone diagram, or an 8D report for root cause analysis. Includes free tools for each method.

FMEA Template Guide: Process FMEA for UK Manufacturing SMEs

Process FMEA guide for UK manufacturing SMEs: severity, occurrence, detection scoring, RPN calculation, and an audit-ready PFMEA template structure.