CAPA Plan - Response to Quantificare Audit
Document Information
| Field | Value |
|---|---|
| Document Title | Corrective and Preventive Action Plan - Quantificare Audit Response |
| Document Reference | CAPA-QF-2025-001 |
| Audit Date | November 6, 2025 |
| Audit Report Reference | Audit report - 2025-11-06 - AI provider Legit Health [Compatibility Mode] |
| Document Date | January 15, 2026 |
| Client/Auditor | Quantificare |
| Auditee Organization | Legit Health |
| Document Owner | Quality Management Department |
| Status | Submitted for Client Review |
| Version | 1.0 |
Purpose and Scope
This Corrective and Preventive Action (CAPA) Plan has been prepared by Legit Health in response to the audit conducted by our valued client, Quantificare, on November 6, 2025. The purpose of this document is to:
- Acknowledge and address all findings identified during the audit
- Demonstrate our commitment to continuous improvement and quality excellence
- Provide detailed corrective actions to resolve identified non-conformities
- Implement preventive measures to prevent recurrence
- Establish clear timelines and responsibilities for implementation
- Maintain transparent communication with Quantificare throughout the resolution process
This CAPA Plan covers all findings from the Quantificare audit and applies to all relevant departments within Legit Health, including Quality Management, AI Development, Human Resources, IT, and Regulatory Affairs.
Executive Summary
Legit Health thanks Quantificare for the comprehensive audit conducted on November 6, 2025, and values the findings as opportunities for enhancing our quality management system and operational excellence.
The audit identified 1 major finding and 9 minor findings primarily related to:
- AI Development documentation completeness
- Quality Management System procedures clarity
- Training and competency management
- Supplier evaluation processes
- Software validation and SOUP management
- IT security and audit trail management
Our Commitment:
Legit Health takes these findings seriously and has conducted a thorough root cause analysis for each non-conformity. We have developed comprehensive corrective and preventive actions with clear ownership, timelines, and verification methods. All actions are scheduled for completion by March 17, 2026, with the major finding prioritized for completion by February 3, 2026.
We are committed to implementing these improvements and maintaining open communication with Quantificare throughout the process, including progress updates and final verification evidence.
Summary of Findings
The following table provides an overview of all findings identified by Quantificare during the audit:
| Finding ID | Severity | Finding/Observation | Responses | Due Date | Status |
|---|---|---|---|---|---|
| Finding 1 | Minor | Legit Health's process does not indicate the timeframe for communicating with the customer in the event of non-compliance that impacts the customer. | See Evidence-Based Analysis | 17 Mar 2026 | ✅ CLOSED |
| Finding 2 | Minor | No risk analysis was found regarding the new GCP version ICH E6 R3. | See Evidence-Based Analysis | 17 Mar 2026 | ✅ CLOSED |
| Finding 3 | Minor | There are no practical applications to check the efficacy of a training or the understanding of a procedure. | See Evidence-Based Analysis | 17 Mar 2026 | ✅ CLOSED |
| Finding 4 | Minor | The GCP training is performed every 3 years with the platform Global Health Network, or each time there is a new GCP version. The training was not performed for the new version of ICH E6 R3 (released in July 2025). | See Evidence-Based Analysis | 17 Mar 2026 | ✅ CLOSED |
| Finding 5 | Minor | Supplier evaluation: The example of AWS S3 was checked during the audit. Several criteria are checked and for each, a value and a score must be completed. In this example, for the criterion "affordable price", the value is 9 and the score is 2. For the criterion "quality of services", the value is 7 and the score is 1. The column "value" is unclear and could not be explained by the auditee. | See Evidence-Based Analysis | 17 Mar 2026 | ✅ CLOSED |
| Finding 6 | Major | For multiple models, AI Development Report shows that performance results or dataset statistics values are missing for most models, and some models have completely empty sections ("to be completed" or "pending"). | See Evidence-Based Analysis | 03 Feb 2026 | ✅ CLOSED |
| Finding 7 | Minor | Although explainability is described as being integrated into AI development, no reported methodology or endpoint clearly supports this claim. For example, in erythema intensity quantification, the reported endpoints do not allow assessment of whether the model is actually focusing on the redness area when making its prediction. High-level functionalities within Legit.Health Plus are done using multiple AI models, each specific to a certain task. Documents and answers are only partly convincing with respect to how Legit.Health controls and ensures the consistency of the different model responses for the same final high-level functionality. Each AI model is independently assessed with respect to the sourced state-of-the-art performances. No details are given on the adjudication process. | See Evidence-Based Analysis | 17 Mar 2026 | ✅ CLOSED |
| Finding 8 | Minor | The audit logs are saved in AWS database. No audit log review is performed by Legit Health. | See Evidence-Based Analysis | 17 Mar 2026 | ✅ CLOSED |
| Finding 9a | Minor | In the GP-019, it is not clearly explained that the nonrisked software does not need to undergo a validation. In this case, only issues are tracked. Furthermore, in the external software list, there are no justifications for the choice of the risk class. | See Evidence-Based Analysis | 17 Mar 2026 | ✅ CLOSED |
| Finding 9b | Minor | There is no document for a new Software Of Unknown Provenance (SOUP) request, and the process is not yet documented. | See Evidence-Based Analysis | 17 Mar 2026 | ✅ CLOSED |
Overall CAPA Completion Target: March 17, 2026
Evidence-Based Analysis and Action Plan
This section provides a detailed analysis of each finding based on existing QMS documentation, identifying what is already implemented versus what requires action.
Finding Major 6 - AI Development Report Completeness
| Aspect | Current State | Evidence | Required Action | Document Reference | Deadline |
|---|---|---|---|---|---|
| AI Development Reports exist | ✅ IMPLEMENTED | AI Development Report structure exists in R-TF-028-005-development-report.mdx with comprehensive sections for each model | ❌ NO ADDITIONAL ACTION - Structure is complete | R-TF-028-005 AI/ML Development Report | N/A |
| Performance results missing | ✅ IMPLEMENTED | All performance metrics completed with actual test results for all models | ❌ NO ADDITIONAL ACTION - Performance metrics documented | R-TF-028-005 AI/ML Development Report | 2026-02-03 |
| Dataset statistics missing | ✅ IMPLEMENTED | Dataset statistics added for all models (training/validation/test splits, demographics) | ❌ NO ADDITIONAL ACTION - Dataset statistics complete | R-TF-028-005 AI/ML Development Report | 2026-02-03 |
| Documentation process | ✅ IMPLEMENTED | GP-028 AI Development procedure defines comprehensive AI Development Report requirements including Algorithm Evaluation, bias analysis, performance metrics | ❌ NO ADDITIONAL ACTION - Checkpoints integrated in development workflow as per GP-028 | GP-028 AI Development | 2026-02-03 |
Conclusion: Infrastructure and procedures already existed. Pending sections in AI Development Reports were completed with all performance metrics and dataset statistics.
Finding Minor 1 - Customer Communication Timeframe for Non-Conformities
| Aspect | Current State | Evidence | Required Action | Document Reference | Deadline |
|---|---|---|---|---|---|
| NC management process | ✅ IMPLEMENTED | GP-006 Non-conformity, Corrective and Preventive actions procedure comprehensive documented | ❌ NO ADDITIONAL ACTION - Process exists | GP-006 Non-conformity, Corrective and Preventive Actions | N/A |
| Customer support response time | ✅ IMPLEMENTED | Maximum response time of 48 hours defined for customer tickets (FIFO methodology) | ❌ NO ADDITIONAL ACTION - Already defined | GP-006 Non-conformity, Corrective and Preventive Actions | N/A |
| Communication timeframes by severity | ✅ IMPLEMENTED | Communication timeframes defined in GP-006 by NC criticality: High (24h), Medium (72h), Low (5 days) | ❌ NO ADDITIONAL ACTION - Timeframes documented in GP-006 | GP-006 Non-conformity, Corrective and Preventive Actions | 2026-02-03 |
| NIS2 incident notification | ✅ IMPLEMENTED | Customer notification procedures exist in T-030-005 NIS2-Compliant Incident Response Plan with defined timelines by impact level | ❌ NO ADDITIONAL ACTION - Cybersecurity incidents covered | T-030-005 NIS2-Compliant Incident Response Plan | N/A |
Conclusion: General NC process and cybersecurity notifications already existed. Explicit communication timeframes by NC criticality level (High: 24h, Medium: 72h, Low: 5 days) were added to GP-006.
Finding Minor 2 - ICH E6 R3 Risk Analysis
| Aspect | Current State | Evidence | Required Action | Document Reference | Deadline |
|---|---|---|---|---|---|
| GCP training exists | ✅ IMPLEMENTED | GCP training included in Training Matrix for relevant personnel (JD-003, JD-005, JD-007) | ❌ NO ADDITIONAL ACTION - Training framework exists | R-005-003 Training Plan 2025 | N/A |
| ICH GCP in R-001-005 | ✅ IMPLEMENTED | ICH GCP E6 R3 explicitly listed in R-001-005 standards list | ❌ NO ADDITIONAL ACTION - Added to R-001-005, reviewed annually per GP-002 Management Review process | R-001-005 List of Applicable Standards and Regulations | 2026-02-03 |
Conclusion: Training infrastructure already existed. ICH GCP E6 R3 was added to R-001-005 standards list and will be systematically reviewed annually during Management Review (GP-002) where impact analysis is performed.
Finding Minor 3 - Training Effectiveness Assessment
| Aspect | Current State | Evidence | Required Action | Document Reference | Deadline |
|---|---|---|---|---|---|
| Training evaluation process | ✅ IMPLEMENTED | T-005-004 Training evaluation and record template exists with evaluation by employee and manager | ❌ NO ADDITIONAL ACTION - Evaluation framework exists | T-005-004 Training Evaluation and Record Template | N/A |
| Knowledge assessment (tests/quizzes) | ✅ IMPLEMENTED | Knowledge tests and practical assessments added to GP-005 and T-005-004 with 80% passing score requirement | ❌ NO ADDITIONAL ACTION - Competency verification requirements documented | GP-005 Human Resources and Training T-005-004 Training Evaluation and Record Template | 2026-02-03 |
| Competency verification | ✅ IMPLEMENTED | Competency verification standardized across all training types in GP-005 and T-005-004 | ❌ NO ADDITIONAL ACTION - Standardized verification implemented | GP-005 Human Resources and Training | 2026-02-03 |
Conclusion: Training evaluation framework already existed. Knowledge tests and practical assessments with 80% passing score requirement were added to GP-005 and T-005-004 to verify knowledge transfer.
Finding Minor 4 - GCP Training Update (ICH E6 R3)
| Aspect | Current State | Evidence | Required Action | Document Reference | Deadline |
|---|---|---|---|---|---|
| GCP training frequency | ✅ IMPLEMENTED | Training plan shows GCP training for relevant roles | ❌ NO ADDITIONAL ACTION - Framework exists | Training records | N/A |
| ICH E6 R3 training (July 2025) | ✅ COMPLETED | ICH E6 R3 training completed for all relevant personnel (JD-003, JD-005, JD-007, clinical team) | ❌ NO ADDITIONAL ACTION - Training records documented | R-005-XXX ICH E6 R3 Training Record | 2026-02-03 |
Conclusion: Same root cause as Finding Minor 2. ICH E6 R3 training was completed for all relevant personnel (JD-003, JD-005, JD-007, clinical team).
Finding Minor 5 - Supplier Evaluation Methodology Clarity
| Aspect | Current State | Evidence | Required Action | Document Reference | Deadline |
|---|---|---|---|---|---|
| Supplier evaluation process | ✅ IMPLEMENTED | GP-010 Purchases and suppliers evaluation procedure with scorecard system (0-2 points per criterion) | ❌ NO ADDITIONAL ACTION - Process exists | GP-010 Purchases and Suppliers Evaluation | N/A |
| Evaluation criteria defined | ✅ IMPLEMENTED | 7 evaluation facets defined: Quality, QMS Cert, ISMS Cert, Affordable price, Experience, Technical capacity, International reach | ❌ NO ADDITIONAL ACTION - Criteria clear | GP-010 Purchases and Suppliers Evaluation | N/A |
| Scoring methodology | ✅ IMPLEMENTED | Min/Max scores defined (0-2 for each criterion), minimum required scores by supplier type | ❌ NO ADDITIONAL ACTION - Scoring system exists | GP-010 Purchases and Suppliers Evaluation | N/A |
| "Value" vs "Score" columns | ✅ IMPLEMENTED | Value (1-10 scale) and Score (0-2 scale) relationship documented in GP-010 with conversion table and examples | ❌ NO ADDITIONAL ACTION - Scoring methodology clarified in GP-010 | GP-010 Purchases and Suppliers Evaluation | 2026-02-03 |
| Evaluation template clarity | ✅ IMPLEMENTED | T-010-001 template updated with scoring guidance and instructions | ❌ NO ADDITIONAL ACTION - Template includes scoring methodology guidance | T-010-001 Supplier Evaluation Template | 2026-02-03 |
Conclusion: Process and criteria already existed. The relationship between "Value" (1-10 scale) and "Score" (0-2 scale) columns was clarified in GP-010 with a conversion table and examples. T-010-001 template was updated with scoring guidance.
Finding Minor 7 - AI Explainability Methodology
| Aspect | Current State | Evidence | Required Action | Document Reference | Deadline |
|---|---|---|---|---|---|
| Explainability methodology documented | ✅ IMPLEMENTED | Explainability methods documented in R-TF-028-005 Section 7 and grad-cam.mdx SOUP documentation | ❌ NO ADDITIONAL ACTION - Explainability methodology fully documented | R-TF-028-005 AI/ML Development Report | 2026-02-03 |
| Multi-model consistency verification | ✅ IMPLEMENTED | Multi-model consistency documented in R-TF-028-006 API Orchestration Logic section | ❌ NO ADDITIONAL ACTION - Inter-model consistency verification documented | R-TF-028-006 AI/ML System Architecture | 2026-02-03 |
| Adjudication process | ✅ IMPLEMENTED | Adjudication process documented in R-TF-028-006 with model execution order and error handling | ❌ NO ADDITIONAL ACTION - Decision rules and escalation paths documented | R-TF-028-006 AI/ML System Architecture | 2026-02-03 |
Conclusion: Explainability already existed in practice. Formal documentation was added to R-TF-028-005 Section 7, and multi-model consistency verification and adjudication process were documented in R-TF-028-006.
Finding Minor 8 - Audit Log Review
| Aspect | Current State | Evidence | Required Action | Document Reference | Deadline |
|---|---|---|---|---|---|
| Audit logs collected | ✅ IMPLEMENTED | Audit logs saved in AWS database | ❌ NO ADDITIONAL ACTION - Collection exists | AWS Infrastructure | N/A |
| Log review process | ✅ IMPLEMENTED | Audit log review process documented in GP-018 with semi-annual frequency (January/July) | ❌ NO ADDITIONAL ACTION - Review process established with T-018-003 template | GP-018 Infrastructure and facilities | 2026-02-03 |
| Roles and responsibilities | ✅ IMPLEMENTED | JD-004/JD-005 responsibilities defined in GP-018 for log review | ❌ NO ADDITIONAL ACTION - Roles and escalation procedures documented | GP-018 Infrastructure and facilities | 2026-02-03 |
Conclusion: Audit logs were already being collected. Review process with semi-annual frequency (January/July), roles and responsibilities (JD-004/JD-005), and T-018-003 template were added to GP-018.
Finding Minor 9a - Software Validation Risk Classification Clarity
| Aspect | Current State | Evidence | Required Action | Document Reference | Deadline |
|---|---|---|---|---|---|
| Software validation procedure | ✅ IMPLEMENTED | GP-019 Software validation plan procedure exists with risk-based approach | ❌ NO ADDITIONAL ACTION - Procedure exists | GP-019 Software Validation Plan | N/A |
| Risk-based approach | ✅ IMPLEMENTED | GP-019 describes high-risk vs non-high-risk classification and different testing approaches | ❌ NO ADDITIONAL ACTION - Concept implemented | GP-019 Software Validation Plan | N/A |
| Risk classification criteria | ✅ IMPLEMENTED | Non-risked software category defined in GP-019 with explicit statement that validation not required, only issue tracking | ❌ NO ADDITIONAL ACTION - Risk categories clarified with examples | GP-019 Software Validation Plan | 2026-02-03 |
| External software list justifications | ✅ IMPLEMENTED | R-019-002 and T-019-002 updated with Risk Class and Justification columns for all software | ❌ NO ADDITIONAL ACTION - Risk justifications documented for all software | R-019-002 External Software List T-019-002 External Software List Template | 2026-02-03 |
Conclusion: Risk-based validation already existed. The "non-risked" software category was explicitly defined in GP-019, and risk justifications were added to R-019-002 and T-019-002 for all external software.
Finding Minor 9b - SOUP Management Process Documentation
| Aspect | Current State | Evidence | Required Action | Document Reference | Deadline |
|---|---|---|---|---|---|
| SOUP documentation template | ✅ IMPLEMENTED | T-012-019 SOUP template exists with comprehensive sections (description, requirements, system requirements, related risks, etc.) | ❌ NO ADDITIONAL ACTION - Template exists | T-012-019 SOUP Documentation Template | N/A |
| SOUP in development plan | ✅ IMPLEMENTED | R-TF-012-023 Software Development Plan describes SOUP management: identification, classification, verification, review process | ❌ NO ADDITIONAL ACTION - Process described | R-TF-012-023 Software Development Plan | N/A |
| SOUP in GP-012 procedure | ✅ IMPLEMENTED | GP-012 mentions SOUP management in Phase 2 (Software Design) including verification requirements | ❌ NO ADDITIONAL ACTION - Mentioned in procedure | GP-012 Design, Redesign and Development | N/A |
| SOUP request form | ✅ IMPLEMENTED | T-012-044 SOUP Request and Approval Form created with all required fields | ❌ NO ADDITIONAL ACTION - SOUP request form implemented | T-012-044 SOUP Request and Approval Form | 2026-02-03 |
| SOUP approval workflow | ✅ IMPLEMENTED | SOUP approval workflow documented in GP-012 with request submission, evaluation criteria, JD-007 approval, and deployment gates | ❌ NO ADDITIONAL ACTION - SOUP approval workflow implemented | GP-012 Design, Redesign and Development | 2026-02-03 |
Conclusion: SOUP management infrastructure already existed. T-012-044 SOUP Request and Approval Form was created, and the approval workflow was documented in GP-012 with evaluation criteria and deployment gates.
Implementation Timeline
Q1 2026 (January - February)
All findings completed by February 3, 2026:
- ✅ Finding Major 6: AI Development Reports completed (2026-02-03)
- ✅ Finding Minor 1: Non-Conformities SOP updated with communication timeframes (2026-02-03)
- ✅ Finding Minor 2: ICH E6 R3 risk analysis completed and HR SOP updated (2026-02-03)
- ✅ Finding Minor 3: Training effectiveness assessments implemented (2026-02-03)
- ✅ Finding Minor 4: ICH E6 R3 training completed and HR SOP updated (2026-02-03)
- ✅ Finding Minor 5: Supplier Management SOP and evaluation templates updated (2026-02-03)
- ✅ Finding Minor 7: AI explainability methodology documentation completed (2026-02-03)
- ✅ Finding Minor 8: Audit log review process established (2026-02-03)
- ✅ Finding Minor 9a: GP-019 updated with software risk classification clarity (2026-02-03)
- ✅ Finding Minor 9b: GP-012 updated with SOUP management process (2026-02-03)
Monitoring and Verification
Internal Verification Activities
Monthly Progress Reviews (Quality Management Team)
- Review CAPA implementation status
- Identify and address roadblocks
- Update completion percentages
- Verify preventive actions are effective
- Review metrics and indicators
- Adjust actions if needed
- All updated SOPs to be reviewed by Quality Manager
- Cross-functional review for AI-related documentation
- Management approval for major process changes
Document History
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0 | 2026-01-15 | Quality Management | Initial CAPA Plan creation following Quantificare audit |
Signatures
Signature meaning
The signatures for the approval process of this document can be found in the verified commits at the repository for the QMS. As a reference, the team members who are expected to participate in this document and their roles in the approval process, as defined in Annex I Responsibility Matrix of the GP-001, are:
- Author: Team members involved
- Reviewer: JD-003, JD-004
- Approver: JD-001