Featured Product
This Week in Quality Digest Live
Risk Management Features
John Logan
Self-organizers at Amazon and big chains are driving the trend
Gleb Tsipursky
Returning to the office harms diversity
Gene Kaschak
Lean supply is not just about the size of inventory
Dwayne Duncum
Understanding and implementing effective controls of workplace hazards is every employer’s responsibility

More Features

Risk Management News
Demonstrating a commitment to keeping people safe and organizations running
Aug. 25, 2022, at 3:00 p.m. Eastern
Now is not the time to skip critical factory audits and supply chain assessments
Extends focus on data-driven explainability and adds customizability
Google Docs collaboration, more efficient management of quality deviations
Major ERP projects take six months longer than companies were told
Three webinars to increase participation and understanding within the world of quality assurance
Partnership bolsters defense against growing cybersecurity risks

More News

William A. Levinson

Risk Management

Design Robust Processes to Avoid ISO 9001:2015 Nonconformances

Ineffective CAPA processes are the greatest source of ISO 9001 audit findings

Published: Tuesday, February 26, 2019 - 13:03

The Pareto principle calls for focus on the vital few rather than the trivial many. While none of ISO 9001’s clauses are trivial—a nonconformance for any of them requires corrective action—ISO 9001 users can avoid most nonconformances by focusing on the clauses that are the most frequent trouble sources, and also on what look like frequent common root causes for most of the nonconformances.

Penny Ouellette at Orion Registrar provided a valuable service by identifying the clauses in question.1 The following information is based on nonconformance reports (NCRs) collected by the ANSI National Accreditation Board (ANAB), as accumulated roughly halfway into the transition from ISO 9001:2008 to ISO 9001:2015. The NCRs were written against the following sections of the standard.

4.4.1 Quality management system and its processes

7.2 Competence

8.4.1 Control of externally provided processes, products, and services

9.1.2 Customer satisfaction

9.2.1 Internal audit

9.3.2 Management review inputs

10.2.1 Nonconformity and corrective action.
• Corrective and preventive action (CAPA) is the second greatest source of FDA Form 483 citations for Oct. 1, 2015, through March 31, 2016,2 and this reference cites “complaints” as the top source. The FDA Group3 cites “complaint files” as the third leading source (behind CAPA and design controls) of Form 483 observations for 2015 but adds that complaint files relate to the CAPA subsystem of the quality management system—as does the fourth leading source, nonconforming product. In other words, the second, third, and fourth biggest trouble sources all relate to CAPA for a total of 31.3 percent.
• BSI cited clause 10.2.1 as the greatest source of major nonconformities in IATF 16949 audits.4 BSI added that IATF Clause 10.2.3—Problem solving, is the second greatest source of major nonconformities. This clause does not appear in ISO 9001:2015, but it is clearly related to 10.2.1 because it requires, among other things, root cause analysis, implementation of “systemic corrective actions,” and verification of their effectiveness. BSI’s handout adds that organizations fail to identify root causes effectively and fail to implement effective and systemic corrective actions.

The takeaway so far is that ineffective CAPA processes are apparently the greatest source of ISO 9001 audit findings, FDA Form 483 citations, and IATF 16949 findings. Ouellette also cited the following “areas of difficulty.”

4.1 Understanding the organization and its context

4.2 Understanding the needs and expectations of interested parties

5.1.1 d) Promoting the use of the process approach and risk-based thinking

6.1 Actions to address risks and opportunities

This gives us 11 clauses, but the trouble appears to reside among a much smaller set of underlying root causes. Foremost among these is the need to remember that ISO 9001 has called for a process approach since 2000. Clause 4.4.1 a) requires identification of process inputs and outputs, and 4.4.1 b) requires the sequence and interactions of the process. Interactions are particularly important because process interfaces and handoffs are frequent trouble sources. The Automotive Industry Action Group’s CQI-20—Effective Problem Solving adds (on page 22), “The source of every problem stems from a process.” 5 This suggests a process for process design and assessment that should, to the greatest extent possible, nonconformance-proof the processes of any quality management system.

Design robust processes to avoid nonconformances

Processes, like organizations, have contexts (clause 4.1) as well as relevant interested parties (clause 4.2). Process failure mode effects analysis (PFMEA) has been applied traditionally to processes for product realization, but it could be applied to all processes within the quality management system under the concept of a QMS FMEA. This is a strong argument for every process of the QMS to include:

• Scope and context of the process (clauses 4.3 and 4.1 at the process level), in terms of the process’s purpose as well as issues that affect its ability to deliver the desired outputs
• The process’s relevant interested parties (clause 4.2), including internal and external customers and suppliers, and their needs and expectations.
• Risks and opportunities associated with the process, along with controls (similar to those in a control plan) for addressing these risks. This deploys clause 6.1 to the process level.

Figure 1 in the ISO 9001:2015 standard (also figure 1 below) tells the user almost everything he needs to know about the process approach. The acronym SIPOC traditionally stands for suppliers, inputs, process, outputs, and customers, while ISO presents this as sources, inputs, activities, outputs, and receivers. The underlying principle is, however, identical, and the standard makes clear that sources and receivers (or suppliers and customers) are all relevant interested parties with needs and expectations. Customers and suppliers may be internal or external, and processes can be customers of or suppliers to other processes.

Figure 1: Schematic representation of the elements of a single process. Source: ISO.

The process approach to corrective and preventive action (CAPA)

The across-the-board prevalence of CAPA-related nonconformities in ISO 9001, FDA requirements, and IATF 16949 (the standard for automotive quality management systems published by the International Automotive Task Force) suggests that this is a good process with which to illustrate the design of a robust process. The importance of CAPA becomes even more obvious when we realize that it is applicable to continuous improvement, as opposed to just correction or avoidance of poor quality. We must also rely on our CAPA process to correct nonconformities in all the other processes of our quality management system. Remember that audit findings and outputs of the management review process also can initiate CAPA. CQI-20 is meanwhile an excellent off-the-shelf model for many process considerations, including inputs, outputs, and risks associated with each step.

Now we will apply clauses 4.1, 4.2, 4.3, and 6.1 to the CAPA process as depicted by CQI-20. The following example shows how any process might be documented to make it clear to an auditor that the organization has considered all these issues. Readers can probably think of more ideas, but the takeaway is that applying this approach to each process of the QMS should prevent unpleasant surprises during audits and, more important, during use of the process.

Scope and context of the process

The purpose (scope) of the CAPA process is not only to identify and remove the root causes of nonconformances, but also to provide a structured approach to preventive action as well as remove all forms of muda (waste) from the organization. The context of this process includes the following internal and external issues.

Internal issues

• How does the organization ensure that CAPA team members have the requisite competencies to perform the activities of the process? This consideration is a handoff to the organization’s competency process that supports clause 7.2.

• How do the organization’s leaders promote an organizational culture in which workers seek to expose and solve problems rather than cover them up? AIAG’s CQI-20—Effective Problem Solving, pp. 15–16, cites the role of organizational culture in problem solving and continual improvement; Appendix A offers an organizational culture assessment tool. This issue relates to clause 5.1 on leadership and commitment.

• How does the organization use the CAPA process to deploy Henry Ford’s guidance, “If there is any fixed theory—any fixed rule—it is that no job is being done well enough”?6 CQI-20 (page 16) adds, “Status quo should never be accepted. Structures are in place to continuously improve performance at all levels.”

• How does the organization ensure that CAPAs move forward to completion? CQI-20 adds (page 15) that failure to complete the CAPA process is a major reason for ineffective CAPA, which we have already seen is a major source of audit findings.

• What mechanisms does the organization have in place for workers to initiate CAPA not only for poor quality but also for other forms of waste as well as occupational health and safety (near miss reports)? These mechanisms would support clause 7.4 as well as ISO 45001’s requirements for workforce participation.

External issues

• What mechanisms does the organization have in place for customers to initiate CAPA? These mechanisms would probably involve clause 8.2.1 c) with regard to customer feedback and complaints.

These issues are phrased as questions that require narrative rather than yes/no responses. The organization should be able to show the auditor, and also itself, exactly how it addresses these context-related internal and external issues. If the answer consists merely of “yes,” the auditor’s next question will obviously be, “How?” It saves time to document the response up front. Assessing the context of the process also identifies relevant internal and external interested parties.

Needs and expectations of interested parties

Figure 2 applies the SIPOC model to the CAPA process to identify its relevant interested parties, their needs and expectations, and handoffs and interactions with other processes of the QMS. The table shows that CAPA is both a customer and supplier of the organization’s Lessons Learned database, or comparable resource, for clause 7.1.6—Organizational knowledge.

AIAG’s CQI-20—Effective Problem Solving, takes this approach a step further by defining inputs and outputs for each step of the process. Figure 31 of CQI-20 illustrates a sample containment process, with inputs and outputs (or results) defined for each step of the process rather than for the overall process. As an example, the third step is the definition of the symptom or problem to be contained. The input consists of samples of the nonconformance (supplied presumably by the process that generated or detected it), and the output is a “clearly defined nonconformance condition” for which the customers are likely to be the cross-functional team that performs the CAPA as well as the planning process (such as design or process FMEA) that might not have identified the failure mode in question. (Figure 31 of CQI-20 shows only the inputs and outputs for each step, though, and not the suppliers and customers that may be specific to the organization that uses the containment process.)

This approach can be used as a model for documenting and assessing any process, and should be highly capable of identifying all relevant interested parties along with their needs and expectations.

Figure 2: SIPOC table for a CAPA process

Risks and opportunities associated with this process

Suppose the process consists of CQI-20, or the similar Eight Disciplines (8D) process from the Ford Motor Co. Table 2 shows how the process might be documented to address risks and opportunities associated with each step, as well as risk assessment and controls whose purpose is to mitigate or eliminate the risk. This information could also be presented in a table with a row for each activity, which would in fact be the format for a process FMEA or the Army’s simpler DD2977—Deliberate Risk Assessment Worksheet.

Figure 3 adapts the risk assessment process from the Army’s DD2977—Deliberate Risk Assessment Worksheet, which is far simpler than FMEA. Figure 3 shows DD2977’s four severity classifications (catastrophic, critical, moderate, and negligible) and five probability ratings (frequent, likely, occasional, seldom, and unlikely), and how to cross-reference them to get an overall risk rating. The catastrophic severity level corresponds to an FMEA severity of 9 or 10, which indicates a failure mode that can jeopardize human safety or cause noncompliance with a government regulation. It is unlikely to apply to a quality-related issue unless that issue is safety-related. Adaptation to quality requires the assumption that lower severity levels do not involve the possibility of injury or unsafe products, but only (for example) allowing poor quality to passed on to an internal or external customer. The probability ratings combine the FMEA occurrence and detection ratings; they indicate the chance that the failure will, first, occur and, second, avoid detection by whatever controls are present.

Figure 3: DD2977 risk-assessment matrix

The biggest risk, or more precisely, missed opportunity related to CAPA involves failure to apply it to all seven Toyota Production System (TPS) wastes, most of which can be more costly than poor quality. The very phrase “corrective and preventive action” creates a self-limiting perception that it is applicable only to poor quality and related issues such as audit findings. The CAPA process works for any gap between a current state (the way the job is currently performed) and an ideal future state (the way the job could be performed if we removed all the waste). We can and should treat the gap as a “nonconformance,” and put our CAPA process to work on it. The error cause removal (ECR) program depicted by James Halpin7 empowers workers and other stakeholders to initiate CAPA for all seven TPS wastes. The section below illustrates this issue for the first step of the CAPA process. CQI-20, Appendix B, adds a list of additional risks (inhibitors) for efficient problem resolution.

CAPA process activities, risks, and opportunities

1. Awareness of the problem
Risk and failure effect: Failure to recognize a quality-related problem means it will continue to cause trouble.

• Severity: Critical, as poor quality will continue to be produced.
• Probability: Seldom, as poor quality is the only TPS waste that announces its presence. This means it is likely to be detected by the existing process controls.
• Risk level: Medium
• Existing controls: Inspection, testing, and other quality assurance activities along with customer communications. CQI-20 (and 8D) have clearly defined mechanisms for awareness.

Opportunity and failure effect: Treat all seven TPS wastes, and not just poor quality, as gaps between the current and ideal states. Failure to exploit this opportunity will result in nondetection of, and inaction on, wastes that are often more costly than poor quality.

• Severity: Critical, as costly waste will persist.
• Probability: Frequent. The other six TPS wastes are asymptomatic and do nothing to announce their presence, and they are also usually built into the job. This means they are present 100 percent of the time.
• Risk level: Extremely high
• Existing controls: No formal controls; CAPA addresses the other six TPS wastes only by implication.
• Planned controls:
–Document all product realization processes with Shingo process maps that force all wastes of cycle time to become visible.
–Perform material and energy balances on product realization processes to force all wastes of material and energy to become visible. This supports ISO 14001 and ISO 50001, respectively, and can also be built into Shingo maps.
–Perform motion efficiency studies to detect waste motion and wasted effort.
–Treat, for analytical purposes, the gap between the current state and the potential or ideal state as a “nonconformity.” Compare “the ideal state for how work processes should perform” against “the current reality.”8 ISO 50001:2018 recommends a similar form of current state vs. ideal state gap analysis with regard to energy consumption.
–Empower workers and other relevant interested parties to use the error cause removal (ECR) program depicted by Halpin.
–Residual risk: The planned controls are expected to reduce the probability to occasional, and the risk level to high.

2. Establish a cross-functional team
Risk and failure effect: Team does not include the required subject matter experts, champion, or sponsor. This will often preclude successful CAPA.

• Severity: Critical
• Probability: Seldom
• Risk level: Medium
• Existing controls: 8D and CQI-20 activities should ensure that the cross-functional team includes the necessary skills, resources, and authorities.

3. Define the problem
Risk and failure effect: Incorrect definition of the problem means the actual problem will not be solved, and the problem will persist. CQI-20, Appendix B, identifies incorrect problem definition as a risk area.

• Severity: Critical
• Probability: Seldom
• Risk level: Medium
• Existing controls: 8D and CQI-20, and their supporting techniques, address the issue of accurate problem definition.

4. Contain the problem (required only for poor quality)
Risk and failure effect: Poor quality reaches the internal or external customer.

• Severity: Critical
• Probability: Seldom
• Risk level: Medium
• Existing controls: 8D and CQI-20 address containment, as does the organization’s process—it has to have one—for clause 8.7 (control of nonconforming outputs).

5. Identify the root causes
Risk and failure effect: The problem’s root cause is not identified, corrective action is therefore not taken, and the problem can recur. CQI-20, Appendix B, adds that potential causes are sometimes identified as root causes because of preconceived ideas or impatience by management.

• Severity: Critical
• Probability: Occasional or likely, as implied by the BSI webinar, which says that organizations often fail to identify the problem’s actual root cause. Diligent application of 8D or CQI-20 should reduce this to seldom.
• Risk level: High (in the absence of a process like 8D or CQI-20), otherwise medium
• Existing controls: 8D and CQI-20 include or reference numerous tools like the Five Whys, concentration diagram, cause-and-effect diagram, and other well-established root cause analysis methods.

Risk and failure effect: The three root causes depicted by CQI-20 (page 35) are not all identified, and corrective action is taken only for the most obvious one or possibly two. The occurrence root cause explains why the poor quality was generated, while the escape root cause explains why it escaped to the internal or external customer. The systemic root cause explains why the quality system or quality planning process failed to identify the other root causes. IATF 16949 10.2.3 d) requires systemic corrective actions.

• Severity: Critical
• Probability: Depends on whether the CAPA process addresses this issue; CQI-20 does.
• Risk level: Moderate to high, again depending on whether the CAPA process addresses systemic root causes.
• Existing controls: Included in CQI-20

6. Select and test corrective or preventive actions
Risk and failure effect: The selected action is not effective, and the problem can recur.

• Severity: Critical
• Probability: Seldom
• Risk level: Medium
• Existing controls: 8D and CQI-20 include or reference numerous tools like hypothesis testing.

Risk and failure effect: The selected action has unintended and undesirable side effects.

• Severity: Critical
• Probability: Seldom
• Risk level: Medium
• Existing controls include assessing management of change (MOC) issues. The basic principle is that any change in, for example, manpower, method, material, measurement, machine, or environment can have unwanted side effects. CQI-20 cites this issue explicitly.

7. Implement and verify the corrective or preventive action
Risk and failure effect: Failure to implement the action can allow the problem to recur, or if the action is preventive, occur.

• Severity: Critical
• Probability: Occasional or likely, as implied by the BSI webinar. Diligent application of 8D or CQI-20 should reduce this to seldom.
• Risk level: High (in the absence of 8D, CQI-20, or the equivalent), otherwise medium
• Existing controls: 8D and CQI-20 include or reference numerous tools such as error-proofing and trying deliberately to make the problem recur. If the problem can be turned on and off at will, the solution is probably effective.

8. Prevent recurrence, standardize (institutionalize) the solution, and update organizational knowledge to hold the gains
Risk and failure effect: Failure to update the Lessons Learned database may result in the organization having to solve the same problem more than once.

• Severity: Critical
• Probability: Unlikely if the process is used diligently
• Risk level: Low
• Existing controls: Present in CQI-20 and 8D. The organization has, or should have, a Lessons Learned database to support clause 7.1.6—Organizational knowledge.

Risk and failure effect: Failure to deploy the solution to related processes may result in similar problems occurring. CQI-20, Appendix B, cites failure to read-across the actions to similar processes and products as a specific “inhibitor to efficient problem resolution.”

• Severity: Critical. IATF 16949 10.2.3 c) requires “consideration of the impact on similar processes and products,” which would make failure to do this a nonconformance.
• Probability: Unlikely if the process is used diligently
• Risk level: Low
• Existing controls: Present in CQI-20 and 8D. See also Read Across/Replicate Process, which applies Henry Ford’s principle that “the benefit of our experience cannot be thrown away.”9

9. Recognize the team
Risk and failure effect: Failure to reinforce the desired team behavior will make it less likely to occur in the future, a phenomenon known as extinction.

• Severity: Critical
• Probability: Unlikely if the process is used diligently
• Risk level: Low
• Existing controls: Present in CQI-20 and 8D.


If the organization can show an auditor how it assesses the context and scope of each process, including internal and external issues that affect the process’s ability to deliver the desired results; the risks and opportunities associated with each process; the needs and expectations of the interested parties for each process or even each process step; and the inputs, outputs, and handoffs of each process, most audit findings can probably be avoided. AIAG’s CQI-20 does an excellent job of assessing these considerations and is a good model for process design and documentation.

Organizations should remember, however, that the ultimate purpose of the system is not to avoid audit findings, but rather to ensure that the processes deliver the desired results. If the process doesn’t achieve what we want, we shouldn’t wait for an audit finding but instead treat the gap between the current state and the desired one as a nonconformance and apply our CAPA process to remove the gap.

1. Ouellette, Penny. “ISO 9001:2015 Implementation: The Good, the Bad and the Trending.” Quality, Nov. 8, 2018.
2. Druivage, Mark. “An Introduction to qFMEA—A Tool for QMS Risk Management.” Pharmaceutical Online, May 8, 2017.
3. The FDA Group. “Nine Top FDA 483 and Warning Letter Problems for Device Companies in 2015.” May 24, 2016.
4. Brown, Robert. “Beyond the IATF Transition: Analysis of Non-Conformities and Next Steps.” BSI webinar, Jan. 22, 2019.
5. Automotive Industry Action Group. CQI-20—Effective Problem Solving.
6. Ford, Henry, and Crowther, Samuel. My Life and Work. New York: Doubleday, Page & Co., 1922. p. 100.
7. Halpin, James F. Zero Defects. New York: McGraw-Hill, 1966.
8. Automotive Industry Action Group, 2012. CQI-22—The Cost of Poor Quality Guide—“Deviation from Ideal Method,” p. 26.
9. Ford, Henry, and Crowther, Samuel. Today and Tomorrow. New York: Doubleday, Page & Co., 1926.



About The Author

William A. Levinson’s picture

William A. Levinson

William A. Levinson, P.E., FASQ, CQE, CMQOE, is the principal of Levinson Productivity Systems P.C. and the author of the book The Expanded and Annotated My Life and Work: Henry Ford’s Universal Code for World-Class Success (Productivity Press, 2013).