Synthesize Risk Based Thinking and CAPA for a Risk Based Improvement Program (RBIP)

Wali Alam, Principal Consultant, Quality Institute of America, Inc., Houston, TX, USA

Keywords: ISO 9001:2015, Risk Based Thinking, Corrective & Preventive Actions-CAPA

Industry: All

Level: Intermediate


ISO 9001, 9002 of the 1987 and 1994 genre, and ISO 9001 of the 2000 and 2008 revisions all had separate requirements for Corrective Actions and Preventive Actions. In all these requirements, it was clear that both corrective actions and preventive actions were meant to prevent undesirable events (problem) from happening. It was also clear that these actions were aimed at the cause of the problem. In other words, while nonconformance control was focused on correcting problems with the product, corrective & preventive actions were focused on eliminating or reducing problems in the process that produced the product. The difference between corrective and preventive actions is how the nonconformance is identified. In the case of Corrective Action, the problem is identified because it actually occurred. Preventive Action on the other hand was identified by a process of forecasting a potential problem by data analysis, such as process performance trends, product performance trends, etc. This data analysis could be as formal, detailed and sophisticated as needed.

Of the first versions, perhaps the 1994 version had the most detailed verbiage describing the fact that both actual and potential nonconformances needed to be evaluated for the attendant risks, to determine if these corrective and preventive actions should be initiated. The term risk was actually used. The 2000 and 2008 versions, while retaining the need for evaluating whether an action should be taken or not, did not mention risk by name. The 2015 version has taken out the requirement for Preventive Action, and just left the requirement for Corrective Action. The 2015 version has linked Corrective Action directly with dealing with the consequences of nonconformances, as the first step towards taking Corrective Action. This arrangement could cause confusion about the need to take corrective actions against nonconformances. The danger is to believe that corrective actions need to be taken against all nonconformances. Many practitioners have believed this to be true, and initiated the process of corrective actions for each and every nonconformance. This is dangerous, because the system could be bogged down by too many corrective actions, some of which may not be necessary due to the low level of risks involved, which could be taken care of by creating barriers between the problem and the organization, such as setting up inspection steps for weeding out nonconforming products.

The 2015 version of Corrective Actions has the most complete definition of steps needed. However, it does not specifically call for risk analysis as the first step to take in the corrective action process. It does suggest a re-evaluation of the risk involved after the corrective action is implemented. This of course, is a very smart way to evaluate the traditional effectiveness of corrective/ preventive actions. It is well known that Preventive Actions have not been mentioned in the 2015 version. The reason is that it is not necessary to mention by name, since there are enough places in the new standard that require a general requirement for Risk Based thinking. The output of this risk based thinking should generate a more complete source of triggers for the traditional Preventive Actions. However, there is no guidance regarding how to take these triggers through a robust set of steps. There exists an opportunity, therefore, for practitioners and users of the standard to design their own system for doing what the traditional CAPA system did. This system can cover all aspects of running an organization with an intent to continually and deliberately improve its effectiveness in delivering whatever are its objectives and mission.

We are proposing the following Risk Based Improvement Program steps to capture the essence of what has been offered by the Quality Management System standards from 1987 to 2015.

1. Collect potential candidates for evaluating the risk that they could pose to the Organization s mission and goals. Remember to include negative as well as positive risks. These could be from:

a. Product nonconformances, all the way from raw materials to delivered products

b. Process nonconformances, all the way from manufacturing processes, procurement, design, calibration, maintenance, audits, and other.

c. Recognition of threats and opportunities that may present themselves from a study of the context of the organization, management review, etc.

d. Monitoring of data from customer satisfaction surveys, trade news and networking, etc.

e. When selecting candidates for risk analysis, an effort should be made to look at other similar sources of risk. This would be especially true for larger organizations.

2. Conduct a Risk Analysis of the above candidates. This analysis could follow a version the Failure Mode and Effect Analysis (FMEA) model first put together by the US military seventy years ago.

a. Organization should have a data-base of risks that it evaluates and deals with over time.

b. Check if the risk candidate has already been considered in the past. If so, pull it up and review results of the last analysis and any further actions. The risk should be evaluated in terms of the severity of damage that could be caused, the likelihood of its occurring, and the difficulty of detecting it, should it did occur.

c. The Risk Analysis should yield a Risk Priority Number (RPN) on a scale of say, 1000. There should be thresholds set up to help decide at which RPN should next steps be taken: abort and close the analysis if it is low enough, or start a Cause Analysis step.

3. Conduct a (Root) Cause analysis using tools such as 5-Why, Fish-Bone diagram, Design of Experiments, etc. This is the step where you will isolate process(es) that could cause the negative risk to materialize, or provide a potential path to improve and enhance organization s mission and objectives.

a. Consult organizational knowledge base to help in the process

b. Make a decision on whether or not to reduce the harmful effect of the process, or enhance its beneficial effect. This will depend on the cost of changing the process, against the benefit of doing so.

c. Abort or proceed according to the cost/ benefit analysis

4. If proceeding forward, then decide on the plan of Improvement Action for doing so. This may involve process engineering, human error elimination/ reduction, capital expenditures, etc.

a. Implement the plan

b. Check if the plan produces the results desired, and record such results

c. Determine the effect of the Improvement Action on the RPN in 2.c above. If the RPN has not been reduced sufficiently, then a follow up plan may be required

5. Take steps to spread the beneficial results of the Improvement Action to other parts of the organization

6. Update the Quality Management System, the Organizational Knowledge Base, including the Human Error Prevention part of the knowledge base.