What is CAPA in Pharmacovigilance?

A comprehensive, inspection-focused Corrective and Preventive Actions (CAPA) procedure tailored to pharmacovigilance (PV). Includes regulatory context, step-by-step CAPA lifecycle with timelines and KPIs, root cause analysis (RCA) methods, governance and inspection considerations, an implementable RACI matrix, templates for CAPA records and investigations, and a practical checklist to make CAPAs inspection-ready.

Audio Lesson 12 min

Corrective and Preventive Action (CAPA) is a structured quality process used to identify, investigate, correct and prevent compliance issues within a pharmacovigilance system. This article expands the overview into an inspection-ready CAPA procedure suitable for operational implementation, inspection response and governance by a marketing authorisation holder (MAH) or contract pharmacovigilance provider.

This document is written for pharmacovigilance quality leads, QPPVs, QA, safety operations, IT support for PV systems and senior management who must design, operate or review CAPA systems and related evidence for inspections.

Regulatory context and inspection relevance

CAPA expectations for pharmacovigilance derive from the general requirements for a documented quality management system, risk management and effective oversight of PV activities. Principal regulatory references or expectations to consider:

Inspection relevance: - Inspectors expect demonstrable linkage between identified issues (audit, inspection, deviation), documented root cause(s), an implemented CAPA plan, objective effectiveness checks, and documented closure. They will review timeliness, risk-based prioritisation, QPPV awareness/escalation, evidence trails, and management oversight. - Maintain a readily retrievable CAPA dossier for each significant finding containing initiation documentation, investigation, RCA outputs, CAPA plan with owner and dates, implementation records, evidence of effectiveness checks, change control and training records, and management review / sign-off.

Governance: committees, roles and escalation

CAPA governance should be formalised. Recommended governance elements:

Roles and responsibilities (high level) - QPPV: awareness and oversight of significant CAPAs that affect the PV system; sign-off on CAPAs with regulatory or safety impact. - PV Quality (QA): accountable for CAPA process, review and acceptance of investigations, monitoring of effectiveness checks. - PV Operations / Safety: perform investigations, implement corrective actions affecting case handling and safety data processes. - IT/IS: implement technical fixes, change control, and provide evidence of system changes and validations. - Vendor Oversight: ensure CROs/partners implement vendor-initiated CAPAs and provide evidence; ensure contractual obligations are met. - Regulatory Affairs: determine regulatory reporting obligations resulting from CAPA (e.g., if CAPA changes PV system impacting PSURs or labeling), and liaise with health authorities when required.

Inspection-ready CAPA procedure (detailed, implementable)

Purpose: To define a standardised, regulatory-aligned and inspection-ready process for documenting, investigating, implementing and verifying corrective and preventive actions for pharmacovigilance-related issues.

Scope: All PV system components (case processing, signal detection, safety database, vendor oversight, periodic reporting, risk management, QMS items) across MAH and contracted PV service providers.

Definitions: - CAPA: Corrective Action(s) and/or Preventive Action(s). - RCA: Root Cause Analysis. - Effectiveness Check: Objective verification that the CAPA has removed the root cause and reduced/prevented recurrence. - Severity/Risk Level: Risk category assigned based on patient impact and regulatory obligations.

Procedure steps (with timelines, KPIs and documentation requirements): 1. Issue identification (T0) - Triggers: Inspection findings, external inspection reports, internal or vendor audit findings, deviations, complaint trends, system failures, pharmacovigilance performance metrics. - Immediate actions: For patient-safety related issues, apply immediate containment measures (e.g., stop intake for a particular vendor queue, escalate to QPPV). - Documentation: Initiate CAPA record in CAPA tracking system within 3 business days of issue identification. - KPI: Time to CAPA initiation β€” target ≀ 3 business days.

  1. Initial assessment and risk categorisation (T0 + ≀ 5 business days)
  2. Conduct a rapid impact assessment: regulatory reporting implications, patient safety impact, number of cases affected, affected processes or systems.
  3. Categorise severity and assign priority (examples):
    • Critical/High β€” immediate patient safety impact or inspection finding requiring formal regulatory response.
    • Medium β€” process non-conformity with potential to lead to impact.
    • Low β€” procedural/documentation issues with low immediate impact.
  4. Document provisional scope and owners.
  5. KPI: Time to risk categorisation β€” target ≀ 5 business days.

  6. Investigation planning and RCA initiation (T0 + ≀ 15 calendar days)

  7. Appoint CAPA owner accountable for investigation and plan.
  8. Define investigation team with competence and independence where possible.
  9. Select RCA methodology (see RCA methods section) based on complexity and severity.
  10. Produce Investigation Plan (documented): objectives, scope, assumptions, evidence to collect, stakeholders, timeline.
  11. KPI: Time to investigation plan β€” target ≀ 15 calendar days for high/medium; ≀30 calendar days for complex/low.

  12. Root Cause Analysis and evidence collection (Target: 10–45 calendar days depending on complexity)

  13. Execute RCA with documented steps, evidence, interviews, process mapping, and summarise root cause(s) versus contributing factors.
  14. Use risk tools (FMEA, fault trees, Pareto analysis) as needed to quantify likelihood and impact.
  15. Document interim containment measures (if not already implemented).
  16. KPI: RCA completion time β€” typical targets:
    • High priority: ≀ 30 calendar days.
    • Medium priority: ≀ 45 calendar days.
    • Low priority: ≀ 90 calendar days (for complex supplier investigations).
  17. Inspection evidence: minutes of meetings, interview notes, exported system logs, audit reports, sample case reviews, screenshots with metadata.

  18. CAPA plan development and approval (T+ ≀ 15 calendar days after RCA)

  19. Create CAPA actions directly linked to each root cause (not merely symptoms).
  20. Each action must include: action description, owner, start date, due date, resource needs, acceptance criteria, link to change control if applicable, and monitoring method.
  21. Categorise actions as Corrective (addressed for past incidents) or Preventive (modifies process to reduce recurrence).
  22. QA review and approval required; QPPV sign-off for CAPAs with patient safety or regulatory impact.
  23. KPI: Time to CAPA plan β€” target ≀ 15 calendar days following RCA for high/medium risk.

  24. Implementation (Execute per CAPA plan)

  25. Implement according to timelines; use change control for procedural or system changes.
  26. Maintain implementation evidence: training records, updated SOPs, validation test scripts, vendor confirmations, system release notes.
  27. For system fixes, ensure validation/qualification is executed and retained.
  28. KPI: Percent of CAPA milestones completed on time; target > 90%.

  29. Effectiveness verification (post-implementation; timing depends on action)

  30. Predefine effectiveness check(s) in CAPA plan. Typical approaches:
    • Re-audit or targeted verification (sample size defined).
    • Trend analysis over predefined period (e.g., 3 months of monitored case intake).
    • Re-run process metrics or automated checks.
  31. Conduct documented effectiveness checks at pre-defined intervals (e.g., 30, 60, 90 days post-implementation depending on risk).
  32. Criteria must be objective and measurable (e.g., reduction in error rate below defined threshold).
  33. For major CAPAs, effectiveness should include independent QA verification and oversight committee review.
  34. KPI: Time to first effectiveness check β€” typical target 30–90 days after completion; effectiveness success rate target > 85%.

  35. Closure and management review

  36. Upon satisfactory effectiveness verification, CAPA owner prepares closure report with summary: issue, root cause, actions, evidence, effectiveness metrics, and lessons learned.
  37. QA and QPPV sign-off required for closure of CAPAs with safety/regulatory impact.
  38. Closed CAPAs are included in management review and trending analyses.
  39. Retain CAPA records in accordance with document retention policy and for inspection (minimum period aligned to regulatory retention requirements for PV records; often 10 years after marketing authorisation expiry or per local law).

  40. Trending and continuous improvement

  41. Quarterly/annual CAPA trend reports to management: counts, time-to-close, recurring themes, vendor-related items, inspection-related CAPAs.
  42. Use trend data to identify systemic weaknesses and inform resource allocation and preventive programs.

Root cause analysis (RCA) methods β€” selection and practical guidance

RCA must be proportionate to the risk and complexity of the issue. Common effective methods:

RCA documentation expectations for inspections: - Clear problem statement. - Timeline of events and evidence (logs, screenshots with timestamps, audit trails). - List of interviews conducted and summaries. - Evidence linking root cause(s) to observed non-conformity. - Rationale for selected CAPA actions demonstrating how they address root cause(s). - Risk assessment justifying priority and timelines.

CAPA evidence that inspectors expect

Inspectors will look for a complete traceable record from detection to closure, including: - CAPA initiation sheet and risk categorisation. - Investigation plan and RCA outputs. - Mapping of each CAPA action to a root cause. - Implementation records: updated SOPs, change control documents, system validation scripts and results, training logs. - Verification evidence: re-audit reports, trend tables with defined metrics, QC or QA sign-offs. - Management review minutes and escalation evidence (if applicable). - Vendor communications and confirmations for outsourced activities. - Retained electronic and paper records searchable and available during inspections.

Inspection checklist (practical, for preparation)

Use this checklist when preparing for a PV inspection or when demonstrating CAPA efficacy to an inspector:

Templates (examples to include in a CAPA system)

The following templates are condensed examples to be incorporated into your CAPA tracking tool or QMS. Each should be adapted to the organisation’s system (electronic CAPA module or controlled spreadsheet) and made accessible to trained staff.

CAPA Initiation Form (minimum fields) - CAPA ID: - Date opened: - Source of issue (inspection, audit, deviation, complaint, vendor, routine review): - Brief problem statement (one-sentence description): - Immediate containment actions (if any): - Initial risk category (Critical/High/Medium/Low) and rationale: - Preliminary owner: - Required SLA / target dates: - Link to related documents (audit report, inspection report, deviation number):

Investigation Plan (outline) - CAPA ID: - Investigation owner and team: - Scope and objective: - Method(s) for RCA: - Evidence to collect (system logs, sample cases, SOPs review, interviews): - Timeline and milestones: - Risk assessment and regulatory notification considerations: - QA oversight and sign-off:

RCA Report (outline) - CAPA ID: - Problem statement (detailed): - Chronology of events: - Evidence summary (attached files): - RCA method used: - Root cause(s) (clear, verifiable statements): - Contributing factors: - Impact assessment (patients affected, reporting obligations, regulatory consequences): - Recommendation summary to CAPA plan:

CAPA Plan Template - CAPA ID: - Action number: - Corrective or Preventive: - Action description: - Root cause(s) addressed: - Owner: - Start date: - Due date: - Resources required: - Acceptance criteria / objective metric: - Change control required? (Y/N) If Y, link: - Status (Not started / In progress / Complete / Blocked): - Evidence link(s):

Effectiveness Check Template - CAPA ID: - Action number: - Effectiveness metric(s): - Pre-implementation baseline: - Post-implementation results and statistical analysis: - Sample size and selection method: - Date(s) of check: - Result (Effective / Partially effective / Not effective): - Further actions (if not effective): - QA verification and sign-off:

Closure Report Template - CAPA ID: - Summary of issue and root cause: - List of actions completed with evidence links: - Dates of milestone completion: - Effectiveness check summary: - Declaration that CAPA addresses root cause and reduces recurrence (Yes/No) with rationale: - QA sign-off: - QPPV sign-off (if applicable): - Closure date:

RACI matrix (practical example for pharmacovigilance CAPA)

Activity / Role QPPV PV Ops Owner PV QA IT/IS Vendor Oversight Regulatory Affairs Head of PV Management Review
CAPA initiation I R A C C C I I
Risk categorisation I R A C C C I I
Investigation / RCA I R A C C C I I
CAPA plan development I R A C C C I I
Implementation I R C R R C I I
Effectiveness check I R A C C C I I
Closure sign-off A (if safety impact) R A C C R (if regulatory impact) I I
Management reporting I R A C C C A R

Key: - R = Responsible (executes the task) - A = Accountable (approves and is accountable) - C = Consulted (two-way communication) - I = Informed (one-way communication)

Design KPIs as part of your QMS performance monitoring. Suggested KPIs, targets and acceptable timelines:

Timelines for inspection-driven CAPAs - Inspections may set specific corrective action plan (CAPA) deadlines; ensure alignment between internal SLA and the agreed regulatory CAPA timeline. - For inspection-critical findings, provide immediate acknowledgement, initial containment, and a proposed timeline for full RCA and CAPA plan within 30 days unless otherwise required by the inspector.

Practical implementation details and tools

Common inspection findings and how CAPA procedure should address them

Governance and management oversight β€” practical guidance

Appendices: example checklists and form samples

Example CAPA initiation quick checklist - CAPA ID created? Y/N - Problem statement clear? Y/N - Source document attached (audit/inspection/deviation)? Y/N - Preliminary risk category assigned with rationale? Y/N - Containment measures (if patient-safety impact) implemented? Y/N - CAPA owner assigned? Y/N - CAPA scheduled in CRC agenda? Y/N

Example Evidence list (for each CAPA) - CAPA initiation form with ID and dates - Audit/inspection/deviation report - Investigation plan and RCA report - Evidence artifacts (logs, screenshots, meeting minutes) - CAPA plan with owners and timelines - Change control forms and validation records - Training records associated with implementation - Effectiveness check results and analysis - QA and QPPV sign-off - Closure report and management review minutes

Conclusion

An inspection-ready CAPA procedure in pharmacovigilance requires a documented, risk-based and evidence-focused approach. CAPAs must be traceable from detection through RCA, action, verification and closure. Regulatory guidance (EU GVP Module I, ICH Q9 and Q10) supports building CAPA as an integral element of the PV quality system. Implement the timelines, RCA rigor, documentation controls, governance structures and KPIs described here to ensure CAPAs are effective, demonstrable and inspection-ready.

Last reviewed: June 2026

Last reviewed: 2026-06-19