The latest revision of ISO 9001 has done away with the preventive action clause, which reads as follows:
“The organization shall determine action to eliminate the causes of potential nonconformities in order to prevent their occurrence. Preventive actions shall be appropriate to the effects of the potential problems.
“A documented procedure shall be established to define requirements for (a) determining potential nonconformities and their causes, (b) evaluating the need for action to prevent occurrence of nonconformities, (c) determining and implementing action needed, (d) records of results of action taken (see 4.2.4), and (e) reviewing the effectiveness of the preventive action taken.”
Taking its place in ISO 9001 is the concept of risk-based thinking, which goes like this:
“Risk-based thinking enables an organization to determine the factors that could cause its processes and its quality management system to deviate from the planned results, to put in place preventive controls to minimize negative effects, and to make maximum use of opportunities as they arise (see Clause A.4)…
“…Risk-based thinking (see Clause A.4) is essential for achieving an effective quality management system. The concept of risk-based thinking has been implicit in previous editions (of ISO 9001)…
“…One of the key purposes of a quality management system is to act as a preventive tool. Consequently, this International Standard does not have a separate clause or subclause on preventive action. The concept of preventive action is expressed through the use of risk-based thinking in formulating quality management systems requirements.”
So, you see? Preventive action has not gone away from ISO 9001. It has been reframed, defined a bit differently. Eliminating whatever might be the cause of a nonconformity, like eliminating the root cause of the needle in the haystack, is possible but is it worth the effort? Diverting resources to that task causes other tasks to be put on hold.
And, because the 2008 version of the standard buried preventive action deep in the standard and made preventive action a required procedure, the standard itself led to misunderstanding and disuse of preventive actions.
Preventive action is no longer buried in the text of ISO 9001 – it is embedded throughout the latest revision. It can no longer be misinterpreted as a standalone activity.
One more thing – preventive action is not framed in absolute terms. Note how ISO 9001 used to say “prevent occurrence of nonconformities” and how this compares with “minimize negative effects” and “make…use of opportunities”, as well as how ISO 9001 dispenses with a preventive action procedure and instead refers to the QMS in its entirety as a “preventive tool”. By going from a single procedure to the entire QMS, ISO is trying to make organizations like yours and mine see preventive action as a proactive – not a reactive – behavior.
Sometimes, change is a beautiful thing.
 Clause 8.5.3 of ISO 9001:2008, “Preventive Action”
 Often referred to as the “QMS”
 Clause 0.1, ISO 9001:2015
 Clause 0.3.3, ISO 9001:2015
 See Annex A, clause A.4, ISO 9001:2015
 For those of us who haven’t made the switch from ISO 9001:2008 to ISO 9001:2015, it still does, obviously.