CAPA (Corrective & Preventive Action)
CAPA (Corrective and Preventive Action) is a systematic risk management process you use to identify the root causes of incidents, hazards, or non-conformities and implement controls to prevent their recurrence or occurrence. It transforms reactive data from incidents into proactive safety improvements.
What is CAPA?
CAPA stands for Corrective Action and Preventive Action. It's the engine room of your organisation's safety management system (SMS) and quality frameworks. In the context of Australian WHS legislation, CAPA is the mechanism that demonstrates you are actively learning from failures rather than merely fixing symptoms.
While the terms are often grouped, they serve distinct functions in your risk management strategy. Understanding these differences ensures you address both immediate failures and potential future risks.
| Component | Focus | Trigger | Goal |
|---|---|---|---|
| Correction | Immediate Containment | Detected non-conformity (e.g., a spill) | Make the situation safe now |
| Corrective Action | Root Cause Elimination | Detected non-conformity (e.g., the spill happened) | Prevent the specific issue from recurring |
| Preventive Action | Potential Risk Elimination | Potential non-conformity (e.g., trend data) | Prevent a problem from occurring in the first place |
In modern safety standards like ISO 45001:2018, the formal term "preventive action" has been replaced by Risk-Based Thinking. This shift requires you to integrate prevention into every stage of planning—identifying risks before work begins—rather than treating it as a separate documentation step. However, the principle remains identical: you must act on uncertainty before it becomes an injury.
How it works
An effective CAPA process follows a structured lifecycle, typically aligned with the Plan-Do-Check-Act (PDCA) cycle. You must ensure your system moves beyond simple "fixes" to address systemic deficiencies.
1. Identification and Immediate Correction
The process begins when a deviation is identified through an incident investigation, near miss report, or safety inspection.
Immediate Correction means you take immediate steps to contain the risk. If a machine guard is broken, the correction is to stop the machine and tag it out. This is not the corrective action; it is a temporary stop-gap to ensure safety while you investigate.
2. Root Cause Analysis (RCA)
This is the pivotal step where most organisations fail. You must investigate why the failure occurred. If a worker slipped on oil, the root cause is rarely "worker carelessness." It is often an engineering failure (leaking seal) or a system failure (inadequate maintenance schedule).
You should use structured tools like 5 Whys or Fishbone diagrams to drill down to the latent conditions. If you stop at the immediate cause, the incident will recur.
3. Determine Controls (Hierarchy of Controls)
Based on the root cause, you must select appropriate controls. Australian WHS regulations mandate that you apply the hierarchy of controls, prioritising the highest level of protection reasonably practicable.
| Level | Action | Example |
|---|---|---|
| Elimination | Remove the hazard entirely | Automating a manual handling task |
| Substitution | Replace with something safer | Using water-based chemicals instead of solvents |
| Engineering | Isolate people from hazard | Installing physical guards or ventilation systems |
| Administrative | Change work practices | Rotation schedules, training, or signage |
| PPE | Protect the worker | Respirators, gloves, earplugs |
4. Implementation
You must assign a specific person and a deadline to each action. Accountability is critical. Avoid assigning actions to "All Staff" or "Safety Team"; name the individual responsible for closing the loop.
5. Verification of Effectiveness (VoE)
Closing a CAPA does not mean the risk is controlled. You must verify that the action was effective. This involves checking evidence of the outcome, not just the activity. Did the hazard reoccur? Did the risk level drop? If the answer is no, the CAPA has failed and must be reopened.
Track CAPAs from identification through verification with automated workflows and accountability.
Why it matters
Implementing a robust CAPA system is not just operational best practice; it is a core component of your legal defence and business resilience.
Legal Compliance and Due Diligence
Under the Work Health and Safety Act 2011 (and state equivalents like the OHS Act 2004 in Victoria), officers (directors and senior executives) have a positive duty of due diligence. This requires them to verify that the organisation has appropriate resources and processes to eliminate or minimise risks.
A functioning CAPA register provides critical evidence that you are:
- Responding to information about hazards and incidents
- Verifying the provision and use of resources
- Ensuring compliance with your own safety duties
Recent case law, such as SafeWork NSW v Mitchell Doble, highlights that officers can be personally liable if they fail to take reasonable steps to ensure their business complies with WHS duties, including failing to enforce known safety systems. Ignoring open corrective actions is a direct breach of this duty.
Business Value
Effective CAPA prevents the "revolving door" of incidents, where you pay for the same failure multiple times. By addressing the root cause, you reduce downtime, equipment damage, and insurance premiums. It shifts your culture from reactive "fire-fighting" to proactive improvement.
Common challenges
1. Treating Symptoms, Not Causes
The most common failure mode is stopping at "Immediate Correction." Organisations often fix the broken part or retrain the worker but ignore the design flaw that caused the break or the fatigue that led to the error.
"Retrain worker" is frequently a weak corrective action that fails to address the system. If human error is the conclusion, you haven't dug deep enough into the systemic conditions that allowed the error to occur.
2. The "Tick and Flick" Mentality
Organisations may rush to close CAPAs to meet Key Performance Indicators (KPIs) (e.g., "Close 100% of actions within 30 days"). This encourages superficial fixes.
A CAPA closed on paper but unresolved in the field is a "latent error" waiting to trigger a future incident. Measure effectiveness, not just closure rates.
3. Lack of Verification
Many safety managers assume that because an action is marked "Complete," the risk is gone. Without a formal Verification of Effectiveness step—typically conducted 3–6 months later—you cannot be certain the control works.
You may find guards removed or procedures ignored because they were impractical. Verification must be based on objective evidence, not just a checkbox.
4. Overloading the System
If you raise a formal CAPA for every minor issue (e.g., a missing pen), you dilute the visibility of critical risks. Your system must distinguish between "quick fixes" (maintenance) and "corrective actions" (systemic change) to ensure resources are focused on high-consequence hazards.
Use your risk matrix to triage issues. High-potential incidents demand comprehensive Root Cause Analysis, while low-risk issues may only require a simple fix.
Aggregate incident data to spot patterns and prioritise high-impact corrective actions.
Best practices
Risk-Rank Findings
Not every hazard requires a full investigation. Use your risk matrix to triage issues. High-potential incidents demand comprehensive Root Cause Analysis, while low-risk issues may only require a simple fix.
Involve Your Workers
The people doing the work often know the true root cause and the most practical solution. Consulting them is not only a legal requirement under WHS laws but ensures the corrective action is actually workable.
Workers can identify barriers to compliance that aren't visible to management—time pressure, conflicting goals, or impractical procedures.
Focus on Systems
Shift your investigation language from "Who failed?" to "What failed?". Human error is almost always a symptom of a system problem (e.g., poor interface design, lack of resources, conflicting goals).
When you investigate incidents, look for the latent conditions—design flaws, inadequate training systems, or organisational pressures—that created the conditions for failure.
Verify Evidence, Not Just Statements
When verifying a CAPA, look for objective evidence. Do not just ask "Did you do it?"; go to the site and observe the new process in action. Check maintenance records, review trend data, or interview workers to confirm the control is actually working.
Use the Hierarchy of Controls
When determining corrective actions, always start at the top of the hierarchy of controls. If your default response is to add training or PPE, challenge yourself to find higher-level engineering or elimination solutions.
Close the Loop with Leadership Visibility
Ensure your CAPA register is visible to officers and senior management. Open CAPAs should be a standing agenda item in safety committee meetings and management reviews. This demonstrates due diligence and keeps corrective actions from stalling.
Frequently Asked Questions
What is the difference between correction and corrective action?
Correction is the immediate action taken to fix a detected problem, such as mopping up a spill or replacing a broken part. Corrective action is the process of identifying the root cause (e.g., a leaking seal) and implementing a permanent fix to prevent the problem from happening again.
Is "Preventive Action" still required under ISO 45001?
Yes, but the terminology has changed. ISO 45001 replaces the specific "preventive action" clause with "Risk-Based Thinking." You are still required to identify and address potential risks proactively; the standard now expects this to be integrated into your overall planning and risk assessment processes rather than treated as a separate, reactive step.
How do I know if a corrective action was effective?
You verify effectiveness by reviewing the issue after a set period (e.g., 3-6 months). You must look for data showing that the specific problem has not recurred and that the new control has not introduced new hazards. If the issue returns, the root cause was likely not addressed.
References and Further Reading
Safe Work Australia's Model Code of Practice: How to Manage Work Health and Safety Risks provides comprehensive guidance on risk management processes including corrective and preventive actions.
WorkSafe Victoria: The Hierarchy of Control outlines the framework for selecting appropriate control measures when addressing identified hazards through the CAPA process.
SafeWork NSW: Due Diligence explains officer obligations under WHS legislation, including the requirement to verify risk management systems like CAPA are functioning effectively.
Comcare: Exercising Due Diligence - Guidance for Officers provides practical guidance on how officers can fulfil their due diligence obligations, including oversight of corrective action systems.
ISO 45001:2018 Occupational health and safety management systems - Requirements with guidance for use establishes the international standard for OHS management systems, including requirements for incident investigation, corrective action, and continual improvement.