Note: The views expressed in this article are those of the author and do not necessarily represent those of his/her employer, GxP Lifeline, its editor or MasterControl, Inc.
This is a common question for many people, both inside and outside of the quality community. It periodically appears every few months in virtual discussion groups and electronic bulletin boards. The question is difficult because the concepts have evolved over several decades, without adequate explanation from the core standards and regulations.
A problem happened. It might have been a defective part, or an incorrect decision, or a sprained back. But it happened. That is called a "nonconformance" because an action or thing did not meet specified requirements.1 Those requirements may have come from a drawing, a safety plan, a standard operating procedure, or a supervisor's instruction. The principles of nonconformance control have been around since the early days of manufacturing. Nonconformance control is a system. It consists of three processes working in harmony:
The last step is called remedial action and has four options: rework, reject, repair, or release. Yes, all of these possible dispositions have application in a service environment, too. Those who still have Material Review Boards for incoming supplier parts will recognize the four R options.
When a bad thing has happened, nonconformance control is always required.
But not all problems (bad things) need corrective action. This is because it takes a tremendous amount of energy to perform the four steps of corrective action. We do not have an unlimited supply of this energy among staff members. If you attempt to correct every single nonconformance that occurs, you are guaranteed to fail. You will waste your energy on the small and easy issues and have nothing left for the really tough and important problems. That is why the four remedial action options above should always be fast, cheap, and easy. Save the energy for what matters.
Corrective action is another system and has four processes:
Notice that corrective action does not deal with the initiating problem. That was addressed through nonconformance control and its remedial action! Corrective action deals with causes. Problem-solving tools are used, including six-sigma methods.
The first step in corrective action is to decide if the subsequent effort is worth staff time and energy resources. It takes courage to tell an insecure boss that further action is not warranted.
The second step in corrective action is to identify the underlying root causes of the problem. Rarely is there a single cause for a problem. It is generally multiple causes and multiple initiators. Classic problem-solving tools do us proud here. This step usually requires more than one brain and more than a day. It is hard.
The third step in corrective action is to implement systemic change to remove the identified root causes. Change is difficult. It is resisted. It will take at least a month and considerable resources.
Because change is so difficult, step four in corrective action is to see if the changes worked. This will require data. Usually a year's worth of data is needed before you can really be sure. (Problems do not follow Newton's Laws of Gravity and rarely appear in a cyclic fashion.) This last step is supposed to examine the corrective action system as a whole. Not individual corrective action sheets. It is generally part of the management review activity.
Preventive action is a totally different thing. It should really be called predictive action, in that a problem hasn't happened yet. It is part of risk management and uses a different set of tools. Unlike nonconformance control, which has been with us since the 1940s, or corrective action, which appeared in the 1960s, predictive action has only been around for a few decades. It is a relatively new concept, designed to deal with possible events that would be very damaging if they occurred.
Predictive action is composed of four steps: 1) analyze precursor data to determine the probability of a bad thing happening, 2) determine the consequences of that bad thing happening, 3) decide if the product of probability and consequences is worth accepting, and 4) if not, change the system to reduce the probability or consequences. Only when you get to step 4 do the change control methods used for preventive action become similar to corrective action methods.
Problem precursors happen all the time, but we do not notice them. The safety profession calls them near misses. A maintenance shop might notice that a motor bearing generally fails after 10,000 hours of use. The RAM-D community has developed reliability, availability, maintainability, and durability protocols to harvest precursor data. Probability analysis will tell us the likelihood of failure as a function of time.
The second step of predictive action requires determination of the consequences if the problem event occurred. FMEA tools are common here. Consequences can affect cost, production, safety, environment, or security. Consequences might be small or they might be huge.
The product of probability of occurrence multiplied by consequences of occurrence is a value used to determine risk appetite. It will vary by business sector. Government and health care generally have smaller appetites for risk than integrated circuit foundries.
If managers determine the risk is unacceptable, then resources are authorized to mitigate the anticipated risk by implementing systemic change. Or they may choose to pass the risk on to someone else by purchasing insurance.
You can see that corrective action and preventive action are two fundamentally different control systems. To keep things straight, you need but remember three words:
Dennis Arter is an independent consultant and trainer. He instructs large and small firms on how to audit management systems. Arter has served clients in the fields of government, manufacturing, chemicals, energy, food, research, aerospace, finance, medical devices, pharmaceuticals, and health care. He has been auditing since 1975.
Arter has presented his course on quality auditing to over 10,000 people since 1980. He is the author of the classic text Quality Audits for Improved Performance, an ASQ Quality Press best-selling publication. He is an ASQ Fellow, former Board member, and active in several Divisions and committees.
Arter has a degree in biochemistry from the University of Illinois and was a licensed mechanical engineer. He was on the team that developed the ASQ Certified Quality Auditor program and holds a CQA charter certificate. He has traveled extensively throughout North America, as well as the United Kingdom, Ireland, Saudi Arabia, Bahrain, Peoples Republic of China, South Africa, Croatia, Turkey, Norway, Germany, and Belgium. Arter was co-chair of the 3rd China-America Conference on Quality, held in Shanghai in 2004. He resides in eastern Washington State with his wife of 42 years. He blogs, tweets, and may be reached at firstname.lastname@example.org.