Tool/Calculator/Template

Cold Chain CAPA Checklist: The Corrective Action Template That Closes BRCGS Record-Control Gaps

12 min read

BRCGS audits flag an average of 4.86 non-conformities per site, and record control (Clause 3.3.1) ranks as the #9 most common NC globally. This corrective action checklist template ties cold-chain excursion triggers, product dispositions, and verification steps to the same tamper-evident record ID inspectors audit — closing the documentation gap that turns temperature incidents into formal findings.

In this guide

  1. Why this matters to an EHO
  2. Step 1: Trigger identification — what happened and when
  3. Step 2: Impact assessment — what was affected and how much
  4. Step 3: Corrective action — what was done and by whom
  5. Step 4: Verification — proof that the corrective action worked
  6. Step 5: Prevention — what stops this from happening again
  7. Wire the CAPA checklist to the six compliance layers
  8. Tier the CAPA workflow: Shield, Command, and Intelligence

The BRCGS 2024–25 Annual Report documents an average of 4.86 non-conformities per audit across more than 38,000 certificated sites worldwide, with record control (Clause 3.3.1) ranking as the ninth most common non-conformity and document control (Clause 3.2.1) at seventh — meaning nearly one in five audit findings traces back to incomplete, unsigned, or unverifiable paperwork rather than an actual food safety failure.

For cold-chain operators, that statistic translates into a specific risk: an excursion happens, someone fixes it, but nobody documents the trigger, the product disposition, the verification, or the prevention step in a format auditors can trace. The corrective action exists in practice but not in evidence — and BRCGS assessors, EHOs, and Section 21 courts all require the evidence.

This checklist template bridges that gap. It follows the five-step CAPA structure — Trigger → Impact → Corrective Action → Verification → Prevention — and ties every step to the same deterministic record ID that powers the Cold Chain Compliance pillar, the Excursion Register Causality Map, and the BRCGS Audit Non-Conformities analysis.

Use it as a standalone paper template, a Command-tier automation spec, or a BRCGS Clause 2.11 corrective action register — the structure works regardless of whether you are running Shield, Command, or Intelligence today.

Why this matters to an EHO

Environmental Health Officers and BRCGS assessors ask the same question when they see a temperature log with a spike: what happened next? Section 21 of the Food Safety Act 1990 requires you to prove all reasonable precautions were taken and all due diligence was exercised — and a corrective action that was completed but never documented is indistinguishable from one that never happened.

The BRCGS data confirms the scale of the problem: 185,000+ non-conformities were identified across audits in the 2024–25 reporting period, and the two record-related clauses (3.3.1 and 3.2.1) together represent a significant share of findings. When your CAPA checklist ties the trigger to the same record ID as the Daily Log and SFBB diary, inspectors stop questioning whether the corrective action predated their visit.

Implementation checklist

  • Lead every CAPA discussion with the record ID, the timestamp of the triggering excursion, and the Food Law Code or BRCGS clause the corrective action satisfies.
  • Show AUTO-DETECTED vs STAFF ENTRY tags on the originating diary entry so assessors can verify that the trigger was sensor-led, not retrospectively added.
  • Attach the calibration certificate ID for the sensor that detected the excursion so instrument accuracy is never in question.
  • Reference Section 21 wording in the CAPA closure statement so the document reads as due diligence evidence, not an internal memo.
  • Log who reviewed and signed off the CAPA (name, role, timestamp) within seven days of closure so management oversight is literal.

Step 1: Trigger identification — what happened and when

Every CAPA starts with an unambiguous trigger statement. For cold-chain events, the trigger should cite the sensor ID, the threshold breached, the magnitude of deviation, the duration, and the Daily Log record ID that captured it. 'Fridge 3 exceeded 8 °C at 02:14 by 1.2 °C for 38 minutes (Record ID: DL-2026-03-13-SITE-03)' is an auditable trigger. 'Fridge was warm overnight' is not.

Command tier generates these triggers automatically as AUTO-DETECTED diary entries, linking the sensor reading to the SFBB diary and the Excursion Register in a single operation. Shield sites should use this checklist as a manual template: fill in the same fields by hand, reference the Daily Log export, and store the completed form alongside the sensor data so the chain of custody is preserved.

Implementation checklist

  • Record the sensor ID, asset name, zone, and calibration certificate number that detected the excursion.
  • Note the exact start time, end time, peak deviation, and threshold breached (e.g. 8 °C chilled, -18 °C frozen, 63 °C hot-hold).
  • Cite the Daily Log record ID so the trigger is traceable to the same immutable data chain inspectors verify.
  • Identify the probable root cause in plain English — door seal fatigue, defrost cycle overshoot, compressor lag, staff error — within 120 words.
  • Stamp the trigger entry with the origination tag (AUTO-DETECTED or STAFF ENTRY) so transparency is immediate.

Step 2: Impact assessment — what was affected and how much

Auditors and EHOs need to know what was at stake. The impact assessment should quantify the food products affected (type, batch, quantity, weight), the vulnerable populations served (if any — care home residents, hospital patients, nursery children), and the regulatory exposure (FHRS confidence-in-management, BRCGS clause, Section 21 defence).

This step is where most manual CAPA systems fail. Staff fix the problem and move on; nobody records the 28 trays quarantined, the allergen implications, or the cost of the wasted stock. Without that record, the BRCGS assessor marks Clause 3.3.1 as a non-conformity because the corrective action is undocumented, even though it was completed.

Implementation checklist

  • List every product batch affected with type, quantity (units and kg), batch/lot number, and shelf life remaining.
  • Note whether vulnerable populations were served from the affected batch (care home, hospital, nursery) and flag for CQC supplement if applicable.
  • Quantify the estimated cost impact: product disposed, re-inspection risk (£115+ per revisit), staff overtime, emergency engineer callout.
  • Cross-reference allergen registers if the affected product carried allergen declarations that may need customer notification.
  • Record the regulatory clauses exposed: BRCGS 3.3.1 (record control), Food Safety Act Section 21, Regulation (EC) 852/2004 Article 5.

Step 3: Corrective action — what was done and by whom

The corrective action must name the person who acted, what they did, and when they did it. 'Quarantined 28 trays, relocated to hold bay, called engineer (ticket #44183), adjusted thermostat from 4 to 3 °C — Jane R., 02:52' is a complete corrective action. 'Fixed the fridge' is a non-conformity waiting to happen.

Flux Command auto-generates the corrective action framework inside the Excursion Report, pulling the staff name from the acknowledgement event and the engineer ticket from the maintenance integration. Shield sites should use the checklist below as a paper-based equivalent, ensuring every field is populated before the form leaves the kitchen.

Implementation checklist

  • Name the staff member who took corrective action, their role, and the exact timestamp of their first intervention.
  • Describe the immediate containment: product quarantined, relocated, disposed of, or verified safe — with disposition decision and rationale.
  • Record the equipment action taken: thermostat adjustment, door seal replacement, compressor reset, engineer callout with ticket number.
  • Attach supporting evidence: photos of quarantined product, waste log entries, engineer invoices, supplier notifications.
  • Link the corrective action to the same record ID used in Step 1 so the trigger and the response are inseparable in the audit trail.

Step 4: Verification — proof that the corrective action worked

Verification closes the loop. A second named person — ideally a supervisor or QA lead, not the person who performed the corrective action — must confirm that the zone returned to compliance, the product disposition was completed, and the equipment fix was effective. The verification timestamp, the return-to-compliance temperature, and the verifier's name create the third pillar of Section 21 evidence (after monitoring and corrective action).

BRCGS Clause 3.3.1 specifically requires 'genuine records' that demonstrate 'effective control.' An unverified corrective action is an open loop — and open loops are what assessors write up. The checklist below ensures verification is documented with the same rigour as the trigger and the fix.

Implementation checklist

  • Assign a verifier who is different from the person who performed the corrective action to ensure independent confirmation.
  • Record the verification timestamp, the return-to-compliance temperature reading, and the sensor ID that confirmed it.
  • Confirm product disposition was completed: quarantined stock released, disposed of (with waste log entry), or escalated to QA for further testing.
  • Verify the equipment fix held: check the next 2–4 hours of Daily Log readings to confirm no repeat excursion occurred.
  • Sign the verification field with name, role, and timestamp, and sync it to the Management Confidence Statement within 12 hours.

Step 5: Prevention — what stops this from happening again

Prevention is the step that separates a reactive fix from a functioning management system. The prevention plan should identify the systemic root cause (not just the proximate trigger), specify the control change (maintenance schedule, staff training, equipment upgrade, alert threshold adjustment), assign an owner and deadline, and schedule a follow-up review.

This is also where the CAPA connects to the Cold Chain Compliance pillar and the broader HACCP review cycle. A prevention step that updates the HACCP plan, adjusts the SFBB diary monitoring frequency, or triggers an equipment lifecycle review shows auditors that the CAPA is embedded in governance, not filed in a drawer.

Implementation checklist

  • Identify the systemic root cause: is this a one-off (door propped open) or a recurring pattern (seal degradation on ageing units)?
  • Specify the preventive control change: updated maintenance schedule, seal replacement programme, staff retraining, alert threshold tightened.
  • Assign an owner and deadline for the preventive action, and log both in the Management Confidence Statement.
  • Schedule a 30-day follow-up review to confirm the prevention held — no repeat excursions in the same zone during the review period.
  • Update the HACCP plan or SFBB diary monitoring frequency if the root cause reveals a gap in the current Critical Control Point definition.

Wire the CAPA checklist to the six compliance layers

A standalone CAPA form is useful; a CAPA form that shares a record ID with the Daily Log, SFBB diary, Excursion Register, inspection pack, CQC supplement, and Energy Intelligence ledger is infrastructure. When an EHO taps the inspection pack and sees the same CAPA record ID referenced in the temperature log, the diary acknowledgement, and the excursion reasoning trace, 'confidence in management' becomes a measurable fact.

Command tier automates this wiring. The moment an excursion triggers a CAPA row, the record ID propagates to every downstream artefact. Shield sites should manually cross-reference the CAPA form number with the Daily Log export and the SFBB diary entry to achieve the same traceability — the checklist structure is identical, only the automation level differs.

Implementation checklist

  • Print the record ID on the CAPA form header and verify it matches the Daily Log, SFBB diary, and Excursion Report for the same event.
  • Attach the CAPA closure summary to the inspection pack so EHOs see corrective actions without requesting additional documents.
  • Copy overnight CAPAs into the CQC supplement when the affected kitchen serves vulnerable populations.
  • Log equipment-related CAPAs in the Energy Intelligence ledger with duty-cycle evidence and avoided-cost calculations.
  • Store the completed CAPA form in append-only storage with a SHA-256 hash so any post-audit alteration is detectable.

Tier the CAPA workflow: Shield, Command, and Intelligence

Shield provides the immutable sensor data that makes every CAPA trigger verifiable — without hash-chained five-minute readings, the corrective action rests on memory rather than evidence. Command automates the entire checklist: AUTO-DETECTED triggers create diary entries, CAPA rows auto-populate with sensor data, and the inspection pack updates before the next shift change. Intelligence extends the CAPA into overnight safeguarding (CQC supplement) and equipment ROI (Energy Intelligence duty-cycle proof).

Print the tier ladder on the CAPA form footer so everyone — EHOs, BRCGS assessors, finance, and estates — understands which controls are automated today and which steps are still manual. That transparency is itself evidence of management maturity.

Implementation checklist

  • Display tier badges (Shield £29 / Command £59 / Intelligence £99) with activation dates on every CAPA form export.
  • Quantify the cost of manual CAPA administration (estimated 45–90 minutes per incident) against Command automation to build the upgrade case.
  • Highlight which CAPA steps are automated at each tier: Shield = verified trigger data; Command = auto-populated form + diary + inspection pack; Intelligence = overnight CQC + energy evidence.
  • Share the same tier snapshot with BRCGS assessors, EHOs, and finance so the CAPA maturity narrative is consistent across audiences.
  • Reference the [Cold Chain Compliance pillar](/blog/cold-chain-compliance-uk-haccp-complete-guide) and [BRCGS Audit Non-Conformities analysis](/blog/brcgs-audit-non-conformities-data-uk-2026) for readers who want the full regulatory context.

Common mistakes

  • Completing the corrective action but never documenting the trigger, impact, or verification — turning a successful fix into a BRCGS Clause 3.3.1 non-conformity.
  • Using different record IDs (or no IDs at all) across the Daily Log, SFBB diary, and CAPA form so assessors cannot trace the chain of custody.
  • Skipping the product disposition field, which leaves auditors unable to confirm whether affected stock was quarantined, disposed of, or released without verification.
  • Assigning the same person to both the corrective action and the verification step, which undermines independent confirmation and raises assessor concerns.
  • Filing CAPA forms in a separate binder instead of linking them to the inspection pack and Management Confidence Statement, making retrieval slow and confidence-in-management scoring reactive.
Turn every cold-chain excursion into a closed CAPA file before the auditor arrives
Shield (£29/month) captures immutable five-minute readings so your corrective action always starts from verified data. Command (£59/month) auto-populates CAPA rows with AUTO-DETECTED triggers, SFBB diary entries, reasoning-rich Excursion Reports, and inspection packs — so this checklist runs itself. Intelligence (£99/month) layers overnight CQC escalations and Energy Intelligence duty-cycle proof so every corrective action includes the equipment story and ROI evidence finance demands.

FAQ

How does this checklist help with BRCGS Clause 3.3.1 (record control)?

Clause 3.3.1 requires 'genuine records' demonstrating 'effective control.' This checklist ensures every cold-chain excursion generates a traceable, timestamped, signed corrective action record with trigger, impact, action, verification, and prevention steps — all tied to the same record ID as the sensor data. That completeness is exactly what assessors check.

Can I use this checklist on paper if I only have Shield tier?

Yes. The five-step structure works identically on paper. Fill in the record ID from your Daily Log export, complete each field by hand, and store the form alongside the sensor data. The only difference is that Command automates the population and linking; Shield requires manual cross-referencing.

What is the recommended response SLA for cold-chain CAPAs?

Target less than 5 minutes from excursion trigger to first staff acknowledgement, less than 15 minutes to populate the corrective action fields, less than 12 hours for independent verification, and less than 30 days for the prevention follow-up review. Log all timestamps against the record ID.

How do I connect this to Section 21 due diligence?

Section 21 requires proof of all reasonable precautions and all due diligence. A completed CAPA checklist demonstrates systematic monitoring (Step 1), documented corrective action (Step 3), verified effectiveness (Step 4), and systemic prevention (Step 5) — the exact narrative courts and tribunals expect.

Should every temperature excursion generate a full CAPA?

Every excursion that breaches a legal threshold (8 °C chilled, -18 °C frozen, 63 °C hot-hold) for more than five consecutive minutes should generate a CAPA row. Brief ambient spikes during planned activities (defrost cycles, stock rotation) can be logged as acknowledged exceptions with a shorter form, provided the return-to-compliance is verified.

Keep exploring

Recommended tools

Sources

← Back to all articles