• Identify Dangers in CAPA 2015, and Build a Comprehensive Improvement System


Identify Dangers in CAPA 2015, and Build a Comprehensive Improvement System


Wali Alam, President, Quality Institute of America, Inc., Houston, TX, USA


Risk Based Thinking, Corrective and Preventive Actions, Continual Improvement





The essence of an ISO 9001 based Quality Management System (QMS) is its requirement and ability to provide Continual Improvement to the organization. This has been true since it’s inception in 1987. Following the principles of Plan Do Check Act (PDCA), the system is built on planning the organization’s processes, checking for performance, and acting on any unacceptable performance by improving the processes that need to perform better. Over time, this yields system-wide Continual Improvement (CI) in quality, productivity, and therefore, profitability.

The core element of the system has been called Corrective & Preventive Actions or CAPA since the 1987 version. The 2015 version of ISO 9001 does not use the term Preventive Actions. This makes sense, since, the only difference between CA and PA was the trigger (problems that have happened or could happen- risk of happening). Hence the addition of Risk Based Thinking (RBT) throughout the Standard. However, there are several unintended dangers that must be recognized if you want to go beyond just minimal compliance:

  • RBT is somewhat nebulous and does not have the force of compliance like PA used to have.
  • RBT’s first step is Risk Assessment. Registration auditors of 2015 systems are noticing since 2016 that this is not being continued (much) after the first time Context of the Organization (COTO) is done.
  • The most popular tool for assessing risk are the Excel based tools with the Red, Yellow and Green grids. These look elegant and powerful but turn out to be not a popular activity. All such tools have link with the seminal FMEA tool developed around WWll by the US Navy. Only problem is that they seem to be used only once, and maybe freshened up to show to the auditor.
  • Both CA and PA have always been risk based, and the first step was always a Risk Assessment (formal or not). The occurrence of a problem or NC did not automatically require a CA. ISO 2015 could be interpreted otherwise and could pose a danger of diluting the power of a true Corrective Action.
  • The big improvement in the Standard is RBT—pervasive and constant alertness towards recognizing risks and processing them quickly. This is hard to do without an assist from technology. This paper will show how to use data-based technology to help get the most out of the full Risk Based Improvement Program (RBIP).
  • The secret would be to provide automation to eliminate the drudgery which prevents people from handling large amounts of Risk Assessments and Mitigations which would be necessary to finally get the full benefit of RBT. This paper will discuss how such a Risk Based Improvement Program (RBIP) might work.