Correction, corrective action, and preventive action: what changed and what didn't

Walk into ten quality teams and ask them to define correction, corrective action, and preventive action. You will get fifteen different answers. The terms get used interchangeably in meetings, swapped around in CAPA software, and frequently confused in audit findings. Getting them right is not pedantry — it changes how you investigate, what you do, and whether the problem comes back.

The three terms, cleanly defined

Correction

Correction is what you do to deal with the immediate nonconformity. The defective part is scrapped or reworked. The wrong invoice is reissued. The contaminated batch is quarantined. Correction addresses the symptom — the thing that is wrong, right now — and nothing more.

Correction is necessary but not sufficient. A team that only does corrections will see the same problems recur indefinitely, because nothing about the underlying system has changed.

Corrective action

Corrective action is what you do to stop the nonconformity from happening again. It targets the cause, not the symptom. To take corrective action you must first understand the root cause — which is why corrective action and root cause analysis are inseparable.

If a wrong part shipped to a customer, the correction is sending the right part. The corrective action might be redesigning the picking process, retraining the operator, or adding a verification step that makes the error impossible. The test of a real corrective action is simple: would this prevent recurrence not just of this specific event, but of the entire class of event?

Preventive action

Preventive action is what you do to stop a nonconformity from happening in the first place — before there is a nonconformity to react to. It addresses potential causes of potential problems, identified through analysis, observation, audit, or risk assessment.

Preventive action is the most valuable of the three and the easiest to neglect, because no one is shouting about it.

What ISO 9001:2015 changed

Here is the part that surprises many quality professionals: ISO 9001:2015 removed the explicit requirement for preventive action. Earlier versions of the standard had a dedicated clause requiring organizations to determine and implement preventive action. The 2015 revision deleted that clause.

This was not because preventive action stopped mattering. It was because the standard was restructured around risk-based thinking. The drafters reasoned that the entire QMS — particularly Clause 6.1 on actions to address risks and opportunities — is preventive in nature. If you are running a risk-based system properly, you are continually identifying potential nonconformities and taking action to prevent them. A separate 'preventive action' procedure was, in their view, redundant.

In practice, this change has been widely misunderstood. Many organizations interpreted the deletion as 'preventive action is no longer required' and quietly stopped doing it. They kept the corrective action process, dropped the preventive one, and waited for problems to occur before acting. That is the opposite of what the standard intended.

The 2026 revision keeps the risk-based framing but tightens expectations around demonstrating that the risk thinking actually leads to preventive action — not just a risk register that gets updated annually and forgotten.

Why the confusion persists

Three reasons the three terms keep getting muddled:

• Most CAPA software lumps everything into a single 'CAPA' record, so the distinction is invisible to the user.
• Auditors writing findings often demand 'corrective action' when what they really want is correction first, then corrective action — and the responding team submits a single response that confuses the two.
• Many organizations still call their process 'CAPA' (Corrective and Preventive Action) even though their procedures only describe reactive corrective action.

What good practice looks like today

A mature improvement process treats the three as a sequence with clear ownership at each step.

• Containment and correction first — fast, decisive, owned by the operational team.
• Root cause analysis before any corrective action — done by people close to the work, supported by structured techniques rather than guesswork.
• Corrective action defined to address the cause, with effectiveness verification scheduled at a future date.
• Preventive action driven from risk reviews, audit observations, near-misses, customer signals, and trend analysis — not waiting for failure.
• Horizontal review: when a nonconformity is found in one area, ask deliberately whether the same cause exists elsewhere. Most organizations don't.

A simple test for any improvement record

Look at any closed improvement record in your system and ask: Which of the three is this? If you cannot tell, the record is too vague. If it is correction labeled as corrective action, you have a recurrence problem waiting to happen. If your system has no preventive action records at all, you are reacting your way through the year.

The terminology matters because the actions matter. Correction stops the bleeding. Corrective action stops the recurrence. Preventive action stops the next class of problem before it starts. A QMS that does all three is a QMS worth running.