The PAF Model: Prevention, Appraisal, Failure Cost Categories

Updated May 2026. Sources: Juran (1951), Crosby (1979), ASQ current guidance.

The four categories

1. Prevention (the cheapest dollar)

Prevention is the spend on stopping defects before they exist. For software teams the major prevention lines are training (onboarding, ongoing skill development, security awareness), structured design review labour (architecture decision records, design docs, design review meetings), threat modelling sessions for new features handling sensitive data, accessibility audits performed at design stage rather than after build, and deliberately budgeted technical debt paydown to prevent debt from generating new defects.

Prevention typically runs at 4 to 6% of payroll for a mature operation and 1 to 2% for an immature one. Boehm's 1981 cost-of-change data and the IBM Systems Sciences Institute defect multipliers both suggest the prevention dollar is the highest-leverage dollar in the entire PAF model; a $1 prevention spend typically saves $10 in internal failure and $100 in external failure when applied to the right defect class. The unclear-requirements root-cause page goes deep on the highest-ROI prevention investment for most software teams.

2. Appraisal (the necessary dollar)

Appraisal is the spend on confirming quality. For software teams the major appraisal lines are test authoring and maintenance (which is dominated by maintenance rather than authoring at scale), manual QA labour, code review time (typically 4 to 6% of engineering time in measured studies), security scanning tools and triage labour, observability platforms (Datadog, New Relic, Grafana Cloud), and the standing cost of a quality engineering function where it exists.

Appraisal typically runs at 6 to 10% of payroll for a mature operation and 4 to 7% for an immature one. The counterintuitive finding from Crosby and subsequent ASQ work is that appraisal spend does not move much across the maturity curve; it is prevention that varies. Mature operations spend modestly more on appraisal but dramatically more on prevention, and the failure savings come from the prevention investment, not the appraisal investment. Teams that try to fix quality by adding test infrastructure without addressing the underlying defect-generation rate find appraisal spend rising and failure cost staying flat.

3. Internal failure (the visible waste)

Internal failure is the cost of defects caught before customers see them. For software teams the major internal failure lines are bugs found by automated tests after merge, manual QA findings sent back to development, regressions caught in pre-production environments, pull requests rejected and rewritten in code review, deferred refactors that broke a build, and the cascade of work disruption when one of these failure events forces a sprint replanning.

Internal failure typically runs at 4 to 8% of payroll for a mature operation and 12 to 20% for an immature one. This is usually the largest single COPQ category on a first measurement, and it is also the one a team can most directly attack by investing in prevention. The poor-testing root-cause page covers the specific test infrastructure investments that cut internal failure fastest.

4. External failure (the expensive dollar)

External failure is the cost of defects discovered by customers. For software teams the major external failure lines are production incidents (war-room labour, postmortem labour, customer communication labour, occasional SLA refunds), hotfix labour, sustained support load increase from a buggy release, customer churn driven by reliability problems, contractual penalties on enterprise SLAs, and regulatory fines where applicable. The non-labour costs (churn, refunds, fines) are real but the labour cost usually dominates when measured at the engineering team level.

External failure typically runs at 1 to 3% of payroll for a mature operation and 8 to 15% for an immature one. It is the smallest single COPQ category in dollar terms for most software teams, but it is disproportionately damaging because it costs customer trust on top of engineering time. A team that consistently shows external failure above 6% of payroll has an observability or appraisal gap that customers are filling with bug reports. The incident cost calculator sister site decomposes this category further.

Reading the PAF profile

A useful diagnostic is to plot the four PAF categories as a stacked bar and compare the shape against the canonical mature and immature profiles. The mature profile is a chunky base of prevention and appraisal with a thin failure cap. The immature profile is the opposite: a thin sliver of prevention, a moderate appraisal slice, and a dominant failure block. Most first-measurement software teams sit somewhere between the two, with appraisal at the mature end (because tooling spend is easy to defend) and prevention at the immature end (because prevention work is intangible and hard to defend in sprint planning).

The most common improvement trajectory over the first 18 months is to move 3 to 5 percentage points of payroll from internal failure to prevention by adding structured design review and ADR practice. The total COPQ usually drops by 3 to 6 percentage points across the same period because the prevention investment unlocks a larger failure saving. Teams that try to attack failure cost directly without growing prevention typically see total COPQ stay flat or rise, because the failure cost has root causes upstream of the appraisal layer.

Three common misreadings

1. Treating appraisal spend as the prevention answer. Buying more test tooling does not move the defect-generation rate. Appraisal catches defects that prevention failed to stop. Investing in appraisal at the expense of prevention is the most common misallocation on a first measurement, and it tends to leave total COPQ flat.
2. Counting tech debt paydown as failure. Tech debt paydown is prevention spend, not failure spend. Booking it as failure inflates the failure line and obscures the prevention underspend. The rework vs technical debt page covers the conceptual distinction; the budgeting follow-through is to put planned paydown in the prevention bucket.
3. Counting incident labour as appraisal. Incident response is external failure spend, not appraisal. Some teams book it as appraisal because the SRE or QE function leads the incident, but the category is functionally driven by the type of cost (defect discovered by customer) rather than the team that responds.

How PAF relates to DORA

The four DORA metrics (deployment frequency, lead time for changes, change failure rate, mean time to restore) overlap with PAF but are not the same view. DORA change failure rate corresponds approximately to internal plus external failure rate. DORA mean time to restore corresponds approximately to the average external failure event cost. DORA lead time tracks the appraisal and prevention loop latency. None of the DORA metrics directly measure prevention spend, which is the variable that most strongly differentiates mature from immature operations in PAF terms.

The practical implication: a team that is operating at DORA elite level on the four headline metrics may still have an under-funded prevention line in PAF terms and may be paying for it in opportunity cost rather than visible failure cost. The benchmarks page covers the DORA-PAF cross-walk in more detail. Sister sites cicdcost.com and technicaldebtcost.com cover the prevention-side investments that move the PAF balance fastest.

Frequently asked questions