Corrective and Preventive Action (CAPA) is a structured quality process used to identify, investigate, correct and prevent compliance issues within a pharmacovigilance system. This article expands the overview into an inspection-ready CAPA procedure suitable for operational implementation, inspection response and governance by a marketing authorisation holder (MAH) or contract pharmacovigilance provider.
This document is written for pharmacovigilance quality leads, QPPVs, QA, safety operations, IT support for PV systems and senior management who must design, operate or review CAPA systems and related evidence for inspections.
Regulatory context and inspection relevance
CAPA expectations for pharmacovigilance derive from the general requirements for a documented quality management system, risk management and effective oversight of PV activities. Principal regulatory references or expectations to consider:
- EU Good Pharmacovigilance Practices (GVP), notably:
- Module I β Pharmacovigilance System and its Quality System (quality system requirements; CAPA is expected as part of continuous improvement and corrective action following audits or inspections).
- Other GVP modules as applicable (e.g., Module V for safety monitoring and Module IX for signal management) where findings may trigger CAPA.
- ICH Q10 β Pharmaceutical Quality System (establishes requirements for a robust quality system, including CAPA).
- ICH Q9 β Quality Risk Management (useful for risk categorisation and prioritisation of CAPA).
- FDA Quality System Regulation (21 CFR Part 820) β for device-based or cross-domain CAPA expectations where applicable; provides a well-known CAPA paradigm inspectors understand.
- National PV inspection guidance and MAH commitments (inspection notices, Corrective Action Plans following inspection closure).
Inspection relevance: - Inspectors expect demonstrable linkage between identified issues (audit, inspection, deviation), documented root cause(s), an implemented CAPA plan, objective effectiveness checks, and documented closure. They will review timeliness, risk-based prioritisation, QPPV awareness/escalation, evidence trails, and management oversight. - Maintain a readily retrievable CAPA dossier for each significant finding containing initiation documentation, investigation, RCA outputs, CAPA plan with owner and dates, implementation records, evidence of effectiveness checks, change control and training records, and management review / sign-off.
Governance: committees, roles and escalation
CAPA governance should be formalised. Recommended governance elements:
- CAPA Review Committee (CRC): periodic (weekly/bi-weekly) operational meeting to review new CAPAs, prioritise, assign owners and ensure timelines are met. Membership: Head of PV Operations, PV QA, QPPV or delegate, IT/IS lead (if system-related), Vendor Oversight Lead (when outsourced), Regulatory Affairs representative for regulatory impact.
- Quality Steering Group (QSG) / Management Review: monthly/quarterly oversight of persistent trends, high-risk CAPAs, resource needs and systemic risk reduction strategies. Membership: Senior Management, QPPV, QA Head, Head of Clinical Safety.
- Escalation criteria: define thresholds (e.g., high-severity patient-safety related CAPAs, repeated inspection findings, missed regulatory timelines) that require immediate escalation to Senior Management and possibly to the QPPV for regulatory notification.
Roles and responsibilities (high level) - QPPV: awareness and oversight of significant CAPAs that affect the PV system; sign-off on CAPAs with regulatory or safety impact. - PV Quality (QA): accountable for CAPA process, review and acceptance of investigations, monitoring of effectiveness checks. - PV Operations / Safety: perform investigations, implement corrective actions affecting case handling and safety data processes. - IT/IS: implement technical fixes, change control, and provide evidence of system changes and validations. - Vendor Oversight: ensure CROs/partners implement vendor-initiated CAPAs and provide evidence; ensure contractual obligations are met. - Regulatory Affairs: determine regulatory reporting obligations resulting from CAPA (e.g., if CAPA changes PV system impacting PSURs or labeling), and liaise with health authorities when required.
Inspection-ready CAPA procedure (detailed, implementable)
Purpose: To define a standardised, regulatory-aligned and inspection-ready process for documenting, investigating, implementing and verifying corrective and preventive actions for pharmacovigilance-related issues.
Scope: All PV system components (case processing, signal detection, safety database, vendor oversight, periodic reporting, risk management, QMS items) across MAH and contracted PV service providers.
Definitions: - CAPA: Corrective Action(s) and/or Preventive Action(s). - RCA: Root Cause Analysis. - Effectiveness Check: Objective verification that the CAPA has removed the root cause and reduced/prevented recurrence. - Severity/Risk Level: Risk category assigned based on patient impact and regulatory obligations.
Procedure steps (with timelines, KPIs and documentation requirements): 1. Issue identification (T0) - Triggers: Inspection findings, external inspection reports, internal or vendor audit findings, deviations, complaint trends, system failures, pharmacovigilance performance metrics. - Immediate actions: For patient-safety related issues, apply immediate containment measures (e.g., stop intake for a particular vendor queue, escalate to QPPV). - Documentation: Initiate CAPA record in CAPA tracking system within 3 business days of issue identification. - KPI: Time to CAPA initiation β target β€ 3 business days.
- Initial assessment and risk categorisation (T0 + β€ 5 business days)
- Conduct a rapid impact assessment: regulatory reporting implications, patient safety impact, number of cases affected, affected processes or systems.
- Categorise severity and assign priority (examples):
- Critical/High β immediate patient safety impact or inspection finding requiring formal regulatory response.
- Medium β process non-conformity with potential to lead to impact.
- Low β procedural/documentation issues with low immediate impact.
- Document provisional scope and owners.
-
KPI: Time to risk categorisation β target β€ 5 business days.
-
Investigation planning and RCA initiation (T0 + β€ 15 calendar days)
- Appoint CAPA owner accountable for investigation and plan.
- Define investigation team with competence and independence where possible.
- Select RCA methodology (see RCA methods section) based on complexity and severity.
- Produce Investigation Plan (documented): objectives, scope, assumptions, evidence to collect, stakeholders, timeline.
-
KPI: Time to investigation plan β target β€ 15 calendar days for high/medium; β€30 calendar days for complex/low.
-
Root Cause Analysis and evidence collection (Target: 10β45 calendar days depending on complexity)
- Execute RCA with documented steps, evidence, interviews, process mapping, and summarise root cause(s) versus contributing factors.
- Use risk tools (FMEA, fault trees, Pareto analysis) as needed to quantify likelihood and impact.
- Document interim containment measures (if not already implemented).
- KPI: RCA completion time β typical targets:
- High priority: β€ 30 calendar days.
- Medium priority: β€ 45 calendar days.
- Low priority: β€ 90 calendar days (for complex supplier investigations).
-
Inspection evidence: minutes of meetings, interview notes, exported system logs, audit reports, sample case reviews, screenshots with metadata.
-
CAPA plan development and approval (T+ β€ 15 calendar days after RCA)
- Create CAPA actions directly linked to each root cause (not merely symptoms).
- Each action must include: action description, owner, start date, due date, resource needs, acceptance criteria, link to change control if applicable, and monitoring method.
- Categorise actions as Corrective (addressed for past incidents) or Preventive (modifies process to reduce recurrence).
- QA review and approval required; QPPV sign-off for CAPAs with patient safety or regulatory impact.
-
KPI: Time to CAPA plan β target β€ 15 calendar days following RCA for high/medium risk.
-
Implementation (Execute per CAPA plan)
- Implement according to timelines; use change control for procedural or system changes.
- Maintain implementation evidence: training records, updated SOPs, validation test scripts, vendor confirmations, system release notes.
- For system fixes, ensure validation/qualification is executed and retained.
-
KPI: Percent of CAPA milestones completed on time; target > 90%.
-
Effectiveness verification (post-implementation; timing depends on action)
- Predefine effectiveness check(s) in CAPA plan. Typical approaches:
- Re-audit or targeted verification (sample size defined).
- Trend analysis over predefined period (e.g., 3 months of monitored case intake).
- Re-run process metrics or automated checks.
- Conduct documented effectiveness checks at pre-defined intervals (e.g., 30, 60, 90 days post-implementation depending on risk).
- Criteria must be objective and measurable (e.g., reduction in error rate below defined threshold).
- For major CAPAs, effectiveness should include independent QA verification and oversight committee review.
-
KPI: Time to first effectiveness check β typical target 30β90 days after completion; effectiveness success rate target > 85%.
-
Closure and management review
- Upon satisfactory effectiveness verification, CAPA owner prepares closure report with summary: issue, root cause, actions, evidence, effectiveness metrics, and lessons learned.
- QA and QPPV sign-off required for closure of CAPAs with safety/regulatory impact.
- Closed CAPAs are included in management review and trending analyses.
-
Retain CAPA records in accordance with document retention policy and for inspection (minimum period aligned to regulatory retention requirements for PV records; often 10 years after marketing authorisation expiry or per local law).
-
Trending and continuous improvement
- Quarterly/annual CAPA trend reports to management: counts, time-to-close, recurring themes, vendor-related items, inspection-related CAPAs.
- Use trend data to identify systemic weaknesses and inform resource allocation and preventive programs.
Root cause analysis (RCA) methods β selection and practical guidance
RCA must be proportionate to the risk and complexity of the issue. Common effective methods:
- 5 Whys
- Good for simple events with a single causal chain.
- Form: repeatedly ask "why" to trace back to root cause(s). Document each why and evidence.
- Fishbone (Ishikawa) analysis
- Useful for process-level investigations where multiple contributing factors exist (People, Process, Technology, Environment, Materials, Measurement).
- Create the diagram and link each factor to evidence.
- Fault Tree Analysis (FTA)
- A top-down logical approach suited for complex systems and technical failures.
- Failure Mode and Effects Analysis (FMEA)
- Preventive tool to evaluate potential failure modes and prioritise preventive actions using Risk Priority Number (RPN).
- Process Mapping and Gap Analysis
- Visual maps of the process flow highlight handoffs and controls. Use to identify specific control failures.
- Pareto Analysis
- Use to prioritise corrective actions by frequency or impact (20/80 rule).
- Hybrid approaches
- Combine Fishbone + 5 Whys, or FMEA followed by targeted FTA for complex technical root causes.
RCA documentation expectations for inspections: - Clear problem statement. - Timeline of events and evidence (logs, screenshots with timestamps, audit trails). - List of interviews conducted and summaries. - Evidence linking root cause(s) to observed non-conformity. - Rationale for selected CAPA actions demonstrating how they address root cause(s). - Risk assessment justifying priority and timelines.
CAPA evidence that inspectors expect
Inspectors will look for a complete traceable record from detection to closure, including: - CAPA initiation sheet and risk categorisation. - Investigation plan and RCA outputs. - Mapping of each CAPA action to a root cause. - Implementation records: updated SOPs, change control documents, system validation scripts and results, training logs. - Verification evidence: re-audit reports, trend tables with defined metrics, QC or QA sign-offs. - Management review minutes and escalation evidence (if applicable). - Vendor communications and confirmations for outsourced activities. - Retained electronic and paper records searchable and available during inspections.
Inspection checklist (practical, for preparation)
Use this checklist when preparing for a PV inspection or when demonstrating CAPA efficacy to an inspector:
- CAPA initiation
- Is there a CAPA log with unique identifiers?
- Was the CAPA initiated within the procedural timeframe?
- Is risk categorisation documented and justified?
- RCA
- Is there a clearly documented problem statement and scope?
- Are RCA methods appropriate and documented?
- Are interviews and evidence archived?
- CAPA plan
- Are root causes linked to discrete actions?
- Are there named owners, dates, and objective acceptance criteria?
- Is there documented QA/QPPV review and approval (where required)?
- Implementation
- Are change control and validation records present for system or process changes?
- Are training records complete and linked to updated procedures?
- Are vendor confirmations or corrective actions retained?
- Effectiveness verification
- Are effectiveness checks pre-planned, measurable and executed?
- Is data supporting the effectiveness outcome present (before-and-after metrics, statistical analysis, sample rework)?
- Closure
- Is the closure report complete with evidence and signed by QA/QPPV?
- Is the CAPA included in trending and management review?
- Documentation and retention
- Are all CAPA artifacts retrievable and stored according to retention policies?
- Are electronic audit trails intact and exportable (for PV databases)?
- Governance
- Are CRC and QSG minutes available showing oversight of priority CAPAs?
- Is there evidence of escalation for critical CAPAs?
Templates (examples to include in a CAPA system)
The following templates are condensed examples to be incorporated into your CAPA tracking tool or QMS. Each should be adapted to the organisationβs system (electronic CAPA module or controlled spreadsheet) and made accessible to trained staff.
CAPA Initiation Form (minimum fields) - CAPA ID: - Date opened: - Source of issue (inspection, audit, deviation, complaint, vendor, routine review): - Brief problem statement (one-sentence description): - Immediate containment actions (if any): - Initial risk category (Critical/High/Medium/Low) and rationale: - Preliminary owner: - Required SLA / target dates: - Link to related documents (audit report, inspection report, deviation number):
Investigation Plan (outline) - CAPA ID: - Investigation owner and team: - Scope and objective: - Method(s) for RCA: - Evidence to collect (system logs, sample cases, SOPs review, interviews): - Timeline and milestones: - Risk assessment and regulatory notification considerations: - QA oversight and sign-off:
RCA Report (outline) - CAPA ID: - Problem statement (detailed): - Chronology of events: - Evidence summary (attached files): - RCA method used: - Root cause(s) (clear, verifiable statements): - Contributing factors: - Impact assessment (patients affected, reporting obligations, regulatory consequences): - Recommendation summary to CAPA plan:
CAPA Plan Template - CAPA ID: - Action number: - Corrective or Preventive: - Action description: - Root cause(s) addressed: - Owner: - Start date: - Due date: - Resources required: - Acceptance criteria / objective metric: - Change control required? (Y/N) If Y, link: - Status (Not started / In progress / Complete / Blocked): - Evidence link(s):
Effectiveness Check Template - CAPA ID: - Action number: - Effectiveness metric(s): - Pre-implementation baseline: - Post-implementation results and statistical analysis: - Sample size and selection method: - Date(s) of check: - Result (Effective / Partially effective / Not effective): - Further actions (if not effective): - QA verification and sign-off:
Closure Report Template - CAPA ID: - Summary of issue and root cause: - List of actions completed with evidence links: - Dates of milestone completion: - Effectiveness check summary: - Declaration that CAPA addresses root cause and reduces recurrence (Yes/No) with rationale: - QA sign-off: - QPPV sign-off (if applicable): - Closure date:
RACI matrix (practical example for pharmacovigilance CAPA)
| Activity / Role | QPPV | PV Ops Owner | PV QA | IT/IS | Vendor Oversight | Regulatory Affairs | Head of PV | Management Review |
|---|---|---|---|---|---|---|---|---|
| CAPA initiation | I | R | A | C | C | C | I | I |
| Risk categorisation | I | R | A | C | C | C | I | I |
| Investigation / RCA | I | R | A | C | C | C | I | I |
| CAPA plan development | I | R | A | C | C | C | I | I |
| Implementation | I | R | C | R | R | C | I | I |
| Effectiveness check | I | R | A | C | C | C | I | I |
| Closure sign-off | A (if safety impact) | R | A | C | C | R (if regulatory impact) | I | I |
| Management reporting | I | R | A | C | C | C | A | R |
Key: - R = Responsible (executes the task) - A = Accountable (approves and is accountable) - C = Consulted (two-way communication) - I = Informed (one-way communication)
KPIs and timelines (recommended)
Design KPIs as part of your QMS performance monitoring. Suggested KPIs, targets and acceptable timelines:
- Time to CAPA initiation: target β€ 3 business days from issue detection.
- Time to initial risk categorisation: target β€ 5 business days.
- RCA completion time:
- Critical/High: β€ 30 calendar days.
- Medium: β€ 45 calendar days.
- Low/Complex: β€ 90 calendar days.
- CAPA plan finalised after RCA: β€ 15 calendar days.
- Implementation adherence: β₯ 90% CAPA milestones completed on or before due date.
- Time to first effectiveness check: typically 30β90 days after implementation depending on risk.
- Effectiveness success rate (first check): target β₯ 85%.
- CAPA re-open rate (percentage of CAPAs reopened due to insufficient effectiveness): target β€ 5%.
- Percentage of CAPAs with documented QPPV sign-off (where required): 100%.
- CAPA documentation completeness (audit of random CAPAs): target 100% compliance with required evidentiary items.
Timelines for inspection-driven CAPAs - Inspections may set specific corrective action plan (CAPA) deadlines; ensure alignment between internal SLA and the agreed regulatory CAPA timeline. - For inspection-critical findings, provide immediate acknowledgement, initial containment, and a proposed timeline for full RCA and CAPA plan within 30 days unless otherwise required by the inspector.
Practical implementation details and tools
- CAPA tracking system: Use a controlled electronic system with audit trails (unique ID, user actions, date/time stamps, attachments). Ensure backup and export capability for inspection.
- Document linking: Link CAPAs to source documents (audit/inspection reports, deviation records) and related change controls.
- Templates and standardization: Standardised templates reduce variability and provide inspectors with predictable records.
- Training: All CAPA owners and RCA team members must be trained in CAPA process, RCA methods and evidence requirements; training records must be retained.
- Vendor management: Include explicit CAPA clauses in supplier agreements requiring timely investigation, evidence provision and whetherevidentiary standards.
- Data integrity: Maintain integrity of electronic evidence (system logs with checksums, saved PDF snapshots), and use validated systems for safety database extracts.
Common inspection findings and how CAPA procedure should address them
- Missing linkage between root cause and CAPA actions: Ensure each action explicitly maps to a root cause.
- Lack of objective effectiveness criteria: Define measurable acceptance criteria up front and execute planned verification.
- Delayed or undocumented RCA: Enforce timelines and require interim containment documentation.
- Insufficient evidence of vendor CAPA implementation: Require vendor-provided evidence (SOPs updated, training records) and conduct independent sample checks.
- CAPA closed without QA/QPPV sign-off: Make QA sign-off mandatory; require QPPV for safety or regulatory impact CAPAs.
Governance and management oversight β practical guidance
- CAPA Review Committee (operational) should have standing agenda items to review overdue CAPAs, blocked actions, resource constraints, and escalate high-risk items.
- Senior management should receive periodic CAPA metrics (monthly) and trend analysis (quarterly) as part of business quality review.
- Management must ensure adequate resourcing for CAPA implementation, particularly for system remediation or vendor remediation activities.
- Tie CAPA outcomes into training curricula and SOP revision cycles to support organisational learning.
Appendices: example checklists and form samples
Example CAPA initiation quick checklist - CAPA ID created? Y/N - Problem statement clear? Y/N - Source document attached (audit/inspection/deviation)? Y/N - Preliminary risk category assigned with rationale? Y/N - Containment measures (if patient-safety impact) implemented? Y/N - CAPA owner assigned? Y/N - CAPA scheduled in CRC agenda? Y/N
Example Evidence list (for each CAPA) - CAPA initiation form with ID and dates - Audit/inspection/deviation report - Investigation plan and RCA report - Evidence artifacts (logs, screenshots, meeting minutes) - CAPA plan with owners and timelines - Change control forms and validation records - Training records associated with implementation - Effectiveness check results and analysis - QA and QPPV sign-off - Closure report and management review minutes
Conclusion
An inspection-ready CAPA procedure in pharmacovigilance requires a documented, risk-based and evidence-focused approach. CAPAs must be traceable from detection through RCA, action, verification and closure. Regulatory guidance (EU GVP Module I, ICH Q9 and Q10) supports building CAPA as an integral element of the PV quality system. Implement the timelines, RCA rigor, documentation controls, governance structures and KPIs described here to ensure CAPAs are effective, demonstrable and inspection-ready.
Last reviewed: June 2026