Corrective Action and CAPA in OHS: A Complete Guide with Examples
The Fix That Wasn't Fixed
A logistics company installed non-slip matting at a loading bay following a slip incident. The incident report was closed. The corrective action was marked complete.
Eight months later, a worker slipped in the same area and fractured their wrist. Investigation found that the non-slip matting had been damaged and not replaced. The corrective action had treated the symptom — the wet surface at the time of the first incident — but had not addressed the root cause: no process existed for inspecting and maintaining the matting.
The first corrective action was a correction — it addressed the immediate problem. What was needed was a corrective action — an action that addressed the underlying cause and prevented recurrence.
This distinction sounds semantic. The difference in outcomes is not.
Definitions: Correction, Corrective Action, and Preventive Action
The terms are used loosely in most workplaces. ISO 45001 defines them precisely, and the distinction matters for building a safety management system that actually improves over time.
| Term | ISO 45001 Definition | Example |
|---|---|---|
| Correction | Action to eliminate a detected nonconformity or incident | Clean up the spill; replace the damaged matting |
| Corrective action | Action to eliminate the cause of a nonconformity and prevent recurrence | Implement a weekly matting inspection procedure with assigned responsibility |
| Preventive action | Action to eliminate the cause of a potential nonconformity — before it occurs | Identify other areas in the facility where similar matting degradation could occur; apply the same inspection protocol proactively |
| CAPA | Corrective Action and Preventive Action — the combined system for managing both | The system that ensures every nonconformity is corrected AND its cause addressed AND similar issues elsewhere are proactively managed |
Most organizations stop at correction. The spill is cleaned up; the report is closed. Corrective action requires one more step: why did the spill occur, and what systemic change prevents it from occurring again?
What Triggers a Corrective Action in OHS?
Corrective actions are required in response to nonconformities — failures to meet a requirement. In OHS, nonconformities arise from:
| Trigger | Example |
|---|---|
| Incident or near-miss | A worker slips because wet floors are not managed — the absence of a wet floor management process is the nonconformity |
| Internal audit finding | Audit reveals that risk assessments have not been updated after process changes |
| External audit / regulatory inspection | Regulator cites inadequate lockout tagout procedures during an inspection |
| Safety inspection finding | Monthly inspection identifies a recurring hazard that previous corrective actions have not resolved |
| Worker complaint or hazard report | Worker reports an ergonomic problem that has existed for months without management response |
| Management review finding | Review identifies that a specific incident type is increasing despite previous corrective actions |
ISO 45001 Clause 10.2 requires that when an incident or nonconformity occurs, the organization shall:
- React in a timely manner
- Investigate the nonconformity and determine its cause
- Determine if similar nonconformities exist or could occur
- Review the effectiveness of any previously taken corrective action
- Implement any action needed
- Review effectiveness of corrective action taken
- Make changes to the OHS management system if necessary
The CAPA Process: 6 Steps
Step 1: Identify and Document the Nonconformity
Before a corrective action can be developed, the nonconformity must be clearly described. A well-written nonconformity statement includes:
- What happened (or what is failing to happen)
- Where it occurred
- Who is affected
- Which requirement is not being met (ISO 45001 clause, legal requirement, internal procedure)
- When it was identified
Poor: "LOTO not followed" Better: "Three incidents recorded in Q3 2026 where LOTO procedures were not applied prior to routine maintenance tasks on production Line 3. LOTO procedures exist but workers report they are 'too complicated' for the tasks involved. ISO 45001 Clause 8.1 operational control requirement not met."
Step 2: Contain the Risk (Immediate Correction)
Before the root cause investigation, address any ongoing safety risk:
- Stop work if there is an immediate danger
- Apply interim controls to protect workers while the investigation continues
- Notify affected personnel
Document the interim correction separately from the corrective action — they address different things.
Step 3: Investigate Root Causes
Root cause investigation is the heart of the corrective action process. Identifying the wrong root cause produces a corrective action that does not prevent recurrence.
The most commonly used root cause tools in OHS CAPA:
5 Whys: Ask "why" repeatedly until the systemic cause is reached:
- Why did the worker not follow the LOTO procedure? — "The procedure was too complicated for a quick task"
- Why was the procedure too complicated? — "It was designed for full maintenance shutdowns, not quick adjustments"
- Why wasn't a simplified procedure developed for routine adjustments? — "No one identified this gap during procedure development"
- Why was the gap not identified? — "There is no process for reviewing procedures after they are initially approved"
- Why is there no review process? — "The OHS management system does not require periodic procedure review"
Root cause: Absence of a procedure review process in the management system
Fishbone (Ishikawa) Diagram: For complex incidents with multiple contributing factors, the fishbone structure organizes causes across six categories: Man, Machine, Material, Method, Measurement, and Environment.
For detailed guidance on root cause investigation tools, see Root Cause Analysis in Workplace Safety.
Step 4: Develop the Corrective Action
The corrective action must address the root cause — not the symptom. For the LOTO example:
| Symptom-Level (Correction Only) | Root Cause Level (Corrective Action) |
|---|---|
| "Re-train workers on LOTO procedures" | "Develop task-specific LOTO procedures for routine adjustments on Line 3; implement a management system process for annual procedure review" |
Each corrective action must have:
- A specific action (not "improve LOTO compliance")
- A named owner
- A specific completion date
- A verification method (how will you know the corrective action was effective?)
Step 5: Implement and Verify Effectiveness
Corrective action implementation is the step most organizations do adequately. Effectiveness verification is the step most organizations skip.
Verification must occur after sufficient time has elapsed to determine whether the corrective action has achieved its intended outcome. For a LOTO training program, verification might mean:
- Observation of LOTO application 30 days after training — are workers actually following the revised procedure?
- Zero LOTO-related incidents in the three months following implementation
- Re-audit of the LOTO program at the next internal audit
A corrective action is not effective if the nonconformity recurs. If the original problem returns, the root cause analysis was incomplete, the corrective action was insufficient, or implementation was not sustained.
Step 6: Identify and Address Systemic Patterns
ISO 45001 Clause 10.2 requires organizations to determine whether similar nonconformities exist elsewhere. For the LOTO example:
- Are there other production lines where routine adjustment procedures are as complex?
- Are there other types of equipment where quick-adjustment tasks regularly bypass the full LOTO procedure?
- Is the absence of a procedure review process creating similar gaps in other areas of the management system?
The organization that asks these questions and acts on the answers is building a management system that improves. The organization that closes each corrective action in isolation is managing incidents — not managing safety.
CAPA Register: What It Must Contain
A CAPA register is the tracking tool for all open and closed corrective and preventive actions. Minimum required fields:
| Field | Purpose |
|---|---|
| CAPA reference number | Unique identifier for tracking and audit |
| Date opened | When the nonconformity was identified |
| Source | Incident, inspection, audit, complaint, etc. |
| Nonconformity description | What failed; which requirement was not met |
| Immediate correction | What was done to address the immediate risk |
| Root cause(s) | Cause(s) identified through investigation |
| Corrective action(s) | Specific actions to prevent recurrence |
| Owner | Named person responsible for each action |
| Due date | Specific completion deadline |
| Status | Open / In progress / Closed / Overdue |
| Effectiveness verification | How verified; date of verification |
| Date closed | When the CAPA was formally closed |
Common CAPA Failures in OHS
| Failure | Consequence | Prevention |
|---|---|---|
| Treating correction as corrective action | Incident recurs; root cause never addressed | Train investigators to distinguish between correction and corrective action |
| Superficial root cause investigation | Corrective action addresses symptom only | Use structured tools (5 Whys, fishbone); require minimum three levels of "why" |
| Corrective actions with no owner | Nothing happens; CAPA register fills with stale open items | Require a named owner for every action before the CAPA is accepted |
| No effectiveness verification | Actions are marked complete based on implementation, not outcomes | Schedule effectiveness verification as a separate step; do not close CAPA until verification complete |
| No systemic extension | Same problem appears in different area | Add "Are there similar nonconformities elsewhere?" as a required question in every CAPA |
| CAPA not linked to audit findings | Audit findings and corrective actions are managed in separate systems; cross-referencing impossible | Use integrated system (or consistent reference numbering) linking audit findings to CAPA records |
CAPA and ISO 45001
| ISO 45001 Clause | Requirement | CAPA Addresses It By |
|---|---|---|
| Clause 10.2 | React to incidents and nonconformities; investigate cause; take corrective action | Systematic process for investigating and addressing nonconformities |
| Clause 9.1 | Monitor OHS performance | CAPA closure rate and effectiveness data are performance indicators |
| Clause 9.3 | Management review | CAPA status and trends are required inputs to management review |
| Clause 10.3 | Continual improvement | Effective CAPA is the primary mechanism of OHS system improvement |
How FindRisk Manages Corrective Actions
FindRisk integrates corrective action management directly into the inspection and audit workflow:
Automatic CAPA creation: Every finding from an inspection, audit, or incident investigation automatically generates a corrective action record. No transcription required.
Root cause recording: The corrective action form prompts for root cause identification — separating the correction from the corrective action and requiring the investigator to document the underlying cause.
Owner notification: When a corrective action is assigned, the named owner receives a notification with the action details and deadline. Reminders are sent as the deadline approaches.
Effectiveness tracking: When an action is marked complete, the system prompts for effectiveness verification — requiring documented evidence that the action achieved its intended outcome before the CAPA is closed.
Trend analysis: All CAPA data is aggregated across all inspections, audits, and incidents — enabling management to identify which hazard types, departments, or processes are generating the most corrective actions and where systemic improvement is needed.
Frequently Asked Questions
What is the difference between CAPA and corrective action?
"Corrective action" refers specifically to actions taken to eliminate the cause of a detected nonconformity. "CAPA" (Corrective Action and Preventive Action) is a broader system that includes both corrective actions (responding to detected nonconformities) and preventive actions (eliminating the causes of potential nonconformities — problems that haven't occurred yet). In practice, ISO 45001 uses "corrective action" where older quality management standards used "CAPA" — but the concept is the same.
How long should corrective actions remain open?
The timeline for a corrective action depends on the severity of the underlying risk and the complexity of the fix. Immediate corrections (removing a hazard) should be completed within 24–48 hours. Systemic corrective actions (developing a new procedure, implementing a training program) may take 30–90 days. Actions that remain open beyond their due date must be escalated — a CAPA register full of overdue items is a management system failure, not just an administrative one.
Who is responsible for verifying corrective action effectiveness?
The safety officer or internal auditor — not the person who implemented the corrective action. Effectiveness verification must be independent to be meaningful. The person who implemented the action has an interest in the outcome being positive. An independent reviewer (another safety officer, the internal auditor, or a senior manager) provides the objectivity needed to genuinely assess whether the corrective action prevented recurrence.
Can a corrective action be closed before the effectiveness verification period is complete?
No. An action should be marked "implemented" when the specific steps have been completed, and "closed" only after effectiveness has been verified over an appropriate period. Closing a CAPA based on implementation rather than effectiveness verification is the most common cause of recurrent nonconformities.
Conclusion
Corrective action is the mechanism by which safety management systems improve. A system that generates nonconformity findings but does not drive root cause investigation and verified corrective action is not a safety management system — it is a documentation system.
The organization that asks "why did this happen?" — not just "what happened?" — and then asks "where else could this happen?" is the organization that genuinely improves its safety performance over time.
According to research by the National Safety Council, organizations with mature corrective action processes (defined as those with documented root cause investigation, named owners, and effectiveness verification for all CAPA items) had 40% lower incident rates than organizations with reactive correction-only approaches.
The difference is not how many incidents you have. It is whether each incident makes your system better.
Download FindRisk to integrate corrective action tracking directly into your inspections and audits — with automatic CAPA creation, owner notification, deadline tracking, and effectiveness verification built into a single mobile workflow.
Try FindRisk
Ready to modernize your safety workflow?
Conduct AI-powered risk assessments, generate reports instantly, and keep your team safe — anywhere, anytime.