ISO Digital Solutions Get the QMS Framework

SGRII Insights  ·  ISO 9001:2015  ·  2026

Improvement — Why the Word “CAPA” Doesn’t Appear in ISO 9001 — And Why That Matters

The industry’s most entrenched habit — merging corrective action with preventive action into a single “CAPA” system — contradicts the 2015 standard’s architecture. Here’s the system design that replaces it.

The Standard Eliminated Preventive Action for a Reason

ISO 9001:2008 contained two distinct improvement clauses: 8.5.2 (Corrective Action) and 8.5.3 (Preventive Action). The 2015 revision eliminated Preventive Action as a standalone requirement — not because prevention became unimportant, but because the entire standard was restructured around risk-based thinking. Prevention is now embedded in Clause 6.1 (actions to address risks and opportunities), not managed as a separate corrective action variant.

Despite this fundamental architectural change, a significant portion of the industry continues to operate “CAPA” systems — Corrective And Preventive Action — as if the 2008 structure still applies. Registers combine reactive nonconformity responses with proactive risk treatments in a single tracking mechanism. The result is conceptual confusion: staff can’t distinguish between fixing something that failed (corrective action, Clause 10.2) and preventing something that might fail (risk treatment, Clause 6.1). The two activities require different triggers, different analysis methods, different response mechanisms, and different evidence of effectiveness.

The SGRII methodology enforces the separation the standard intended: an NC & CA Register (Clause 10.2) for retrospective nonconformity management, and a Risk & Opportunity Register (Clause 6.1) for prospective risk treatment and opportunity capture. These registers never merge. The term “CAPA” does not appear in any SGRII product. This is not a semantic preference — it’s a system design decision that determines whether the organisation can meaningfully distinguish between correction and prevention.

Clause 10.2 — Root Cause Analysis: System Deficiency, Always

Clause 10.2.1 requires the organisation to react to nonconformities by taking action to control and correct them, deal with the consequences, evaluate the need for action to eliminate the causes so they don’t recur or occur elsewhere, implement any action needed, review the effectiveness of corrective action taken, and if necessary, update risks and opportunities or make changes to the QMS.

The critical step is “evaluate the need for action to eliminate the causes.” This is root cause analysis — and it is where most corrective action systems fail. The overwhelming majority of root cause analyses in SME quality systems arrive at the same destination: “human error,” “operator mistake,” “training gap,” or “lack of attention.” These are not root causes. They are descriptions of the immediate event.

The SGRII position is non-negotiable: “human error” is never an acceptable root cause. Every nonconformity has a system cause — a process that lacked adequate controls, a procedure that was ambiguous, a competence requirement that wasn’t defined, an environment that created error-likely conditions, or a design that failed to prevent foreseeable misuse. If the root cause analysis stops at the person, the analysis hasn’t gone deep enough.

This principle is supported by the methodology tools in the SGRII portfolio: 8D Problem Solving for complex, multi-causal nonconformities; Root Cause Analysis for systematic cause identification; FMEA for failure mode prevention at the design stage; and the Integrated Corrective & Risk-Based Improvement System for organisations ready to connect their Clause 10.2 outputs to their Clause 6.1 inputs in a closed-loop improvement architecture.

Effectiveness Verification — Evidence, Not Dates

Clause 10.2.1 (e) requires the organisation to “review the effectiveness of any corrective action taken.” In practice, effectiveness verification is the weakest link in the corrective action chain. The most common approach: a date is set — typically 30, 60, or 90 days after implementation — and when that date arrives, the corrective action is reviewed and closed. This is date-based verification, and it proves nothing.

Effectiveness verification must be evidence-based. The question is not “has enough time passed?” but “has the corrective action achieved its intended outcome?” That means defining, at the point of corrective action planning, what evidence will demonstrate effectiveness: zero recurrence of the specific nonconformity type over a defined production volume, process performance data returning to within specification, successful completion of a competence re-assessment, or positive results from a targeted follow-up audit.

If the organisation cannot articulate what “effective” looks like before implementing the corrective action, it cannot verify effectiveness afterward. The SGRII NC & CA Register includes a mandatory effectiveness criteria field completed at the planning stage — not retrospectively at the closure stage. Verification is then performed against these pre-defined criteria, producing evidence of effectiveness rather than evidence of elapsed time.

Clause 10.3 — Continual Improvement Beyond Nonconformity

Clause 10.3 requires the organisation to continually improve the suitability, adequacy, and effectiveness of the QMS, considering the results of analysis and evaluation (Clause 9.1.3) and management review outputs (Clause 9.3.3). Continual improvement is not corrective action. It’s the proactive enhancement of system performance even when nothing has failed.

In most organisations, improvement activity is entirely reactive — driven by nonconformities, customer complaints, and audit findings. The proactive dimension of Clause 10.3 — identifying opportunities to improve process efficiency, enhance customer value, reduce waste, strengthen controls, or simplify workflows — receives minimal attention. Yet this is where the most significant performance gains exist: not in fixing failures, but in optimising systems that already work.

The PDCA cycle (Plan-Do-Check-Act) — referenced in the standard’s introduction as the framework for continual improvement — provides the mechanism. But PDCA is a thinking framework, not a form. It requires the organisation to plan an improvement, implement it on a controlled basis, evaluate whether it worked, and standardise or adjust. Most organisations skip “Check” and “Act” — implementing changes without evaluating their impact or standardising successful improvements into the system.

The Improvement Pillar — Closing the Loop

Clause 10 maps to the Improvement pillar of the SGRII methodology — the final pillar that determines whether the system learns from its own operation. A system with built-in tracking, feedback, and follow-up mechanisms that drive measurable progress is a system that improves. A system that captures nonconformities without investigating their causes, sets corrective actions without verifying their effectiveness, and conducts management reviews without producing decisions is a system that documents activity while standing still.

Across all twelve SGRII ISO frameworks, the Clause 10 architecture is identical: NC & CA Register with mandatory root cause analysis (system deficiency only), evidence-based effectiveness verification, and structural separation from the Clause 6.1 Risk & Opportunity Register. This architecture scales — from a single-standard ISO 9001 implementation to a twelve-standard integrated management system — because the improvement methodology doesn’t change. Only the scope of what’s being improved changes.