CAPA Strategy Framework
Framework for developing effective Corrective and Preventive Action plans
This CAPA strategy framework provides a structured approach to root cause analysis, corrective action planning, implementation tracking, and effectiveness verification. Aligns with ICH Q10 pharmaceutical quality system principles and FDA CAPA regulatory expectations.
Framework Overview
The AuditingLab CAPA Strategy Framework is built on five sequential phases: Detection and Classification, Root Cause Analysis, Action Planning, Implementation Verification, and Effectiveness Verification. Each phase has defined inputs, outputs, and quality gates that must be satisfied before progressing to the next phase.
The framework is regulatory authority-agnostic and applies to FDA CAPA expectations (21 CFR Parts 211, 820), ICH Q10 pharmaceutical quality system principles, and GCP-context CAPA requirements under ICH E6(R3). Organizations subject to multiple regulatory frameworks can use a single CAPA system that satisfies all applicable requirements.
Phase 1: Detection and Classification
Not every quality event requires a CAPA. Classification determines the response level and resource investment required. A robust detection system captures events from multiple sources: audit findings, deviation reports, complaint records, trend analyses, self-inspection observations, and external regulatory signals.
- Critical events: immediate patient safety or data integrity impact — CAPA required within 24 hours
- Major events: significant GCP deviation, systemic process failure, or recurring minor finding — CAPA required within 5 business days
- Minor events: isolated procedural inconsistency, no patient safety or data integrity impact — tracked in deviation log; CAPA if recurring
- Immediate containment action must be documented for all critical and major events
- Classification should be reviewed and confirmed by QA within 48 hours of the initial determination
Phase 2: Root Cause Analysis Methods
The framework supports three root cause analysis methods, selectable based on event complexity. For simple, well-understood events, the 5-Whys method is sufficient and efficient. For complex, multi-factor events, a fishbone (Ishikawa) diagram maps contributing factors across the six standard categories: Method, Measurement, Machine, Material, Man, and Environment. For high-severity events with regulatory implications, a formal Failure Mode and Effects Analysis (FMEA) provides the most rigorous structured analysis.
- 5-Whys: appropriate for clear, linear cause-effect chains; fastest to execute
- Fishbone/Ishikawa: appropriate for complex events with multiple potential causes; maps contributing factors systematically
- FMEA: appropriate for high-severity events and systemic process failures; provides probability and severity scoring
- For all methods: document the RCA process, the evidence reviewed, and the team members involved
- Root cause must be testable: if you eliminated the root cause, would the event definitely not recur?
Phase 3: Action Planning
Every CAPA plan must contain three types of actions: immediate containment (stopping the current impact), corrective action (fixing this specific event), and preventive action (fixing the underlying system to prevent recurrence). Organizations that write only corrective actions without preventive actions consistently reopen the same CAPAs.
- Immediate containment: what was done right now to prevent further harm — documented with date and responsible person
- Corrective actions: specific, measurable actions to address this event — each with owner, due date, and evidence requirement
- Preventive actions: systemic changes to prevent recurrence — may include SOP revision, training, system configuration, or oversight process changes
- Action due dates must be realistic — overdue CAPAs are a regulatory finding in their own right
- All actions must be linked to the identified root cause; actions that don't address the root cause will not be effective
Phase 4: Implementation Verification
Implementation verification confirms that planned actions were completed as described. This is a documentation review, not an effectiveness assessment — you are confirming that the training happened, the SOP was revised, the system was reconfigured, or the process change was implemented.
- Collect completion evidence for every action item before closing the implementation phase
- Evidence types: signed training records, approved SOPs with new version numbers, system change request records, process audit reports
- Do not mark any action as complete without a specific evidence reference in the CAPA record
- Incomplete actions must be escalated to QA management — do not self-extend due dates without escalation and documentation
- QA sign-off required for implementation verification before moving to effectiveness phase
Phase 5: Effectiveness Verification
Effectiveness verification is the proof that the CAPA worked. It requires observation of the process after implementation for a defined period, using pre-defined metrics that would detect recurrence. Effectiveness verification that relies only on the absence of new reports — rather than active surveillance of the process — is insufficient and will be challenged by regulators.
- Define the effectiveness metric before implementing the CAPA, not after
- Set a minimum observation period: 30 days for high-frequency processes, 90+ days for low-frequency processes
- Conduct active surveillance — review data, observe the process, or audit the system — rather than waiting for new reports
- Document the surveillance activities, findings, and the effectiveness determination with supporting evidence
- If effectiveness verification fails, reopen the CAPA and repeat root cause analysis before the problem spreads
Browse all resources or contact us to discuss your QA needs.