How to handle deviation in pharma effectively

Deviation in pharma is unavoidable, but how you detect, assess, and resolve it is what protects patients and product quality.

Medicinal products should be manufactured at a high level of quality to ensure they are fit for purpose. Manufacturers must also ensure patients are not at risk due to inadequate product quality. This means manufacturing every unit to be safe, effective, and free from contamination or defects.

This is where an appropriate Quality Management System (QMS) comes in. A QMS that incorporates GxP and Quality Risk Management can monitor the effectiveness of the manufacturing process, identify problems quickly, and trigger timely corrective and preventive actions (CAPA).

Therefore, the key component of any quality system is how you manage deviations.

Continue reading this article to dive into the different types of deviations you might have to tackle and follow our step by step guide on how to handle deviations in pharma. Let’s go!

What is a deviation in pharma? How to interpret deviations from standard behavior in analytics

Before we learn how to handle a deviation in pharma effectively, let’s answer the key question: What is a deviation in pharma?

Deviations are defined as any measurable differences between an observed value and an expected or ‘normal’ value for a process or product condition, or a departure from a documented standard or procedure.

How to interpret deviations from standard behaviour in analytics? The point at which such a departure from the norm becomes a true deviation must be defined. For example, exceeding a set threshold or limit may be recorded as a deviation.

Sometimes, deviation permits can be issued.

A deviation in pharma can arise at any point during a product’s lifecycle, from the testing phase to manufacturing to final product acceptance to post-market surveillance.

For example, a deviation can be triggered by a customer complaint when a company’s standards don’t meet certain certification requirements.

A good eQMS for pharmaceutical companies should have a deviation management software built in to detect and record deviations.

Deviations can be prevented through frequent data reviews and controls; an upward-trending data set approaching the defined deviation threshold can indicate a future deviation and can be stopped through appropriate CAPAs.

How to reduce deviations and cultivate a quality-driven environment with Scilife

Deviation documentation requirements FDA 21 CFR 211.192

According to the deviation documentation requirements as per FDA 21 CFR 211.192, any deviation from set procedures must be documented.

FDA CFR 211.192 / 21 CFR Part 11 obligates a detailed investigation into any deviation, including documentation of conclusions and follow-up actions. Incidents that may affect the quality or reliability of records or tests should also be investigated and resolved.

How to handle a deviation in pharma effectively: Deviations vs Nonconformities

In quality management, the terms deviation and nonconformity are often used interchangeably, but they’re not quite the same.

Both indicate that something has strayed from expectations, yet they differ in scope, intent, and regulatory context. Understanding where the line lies between a deviation and a nonconformity is key to ensuring consistent investigations, accurate reporting, and effective CAPA implementation.

What is a nonconformity

A nonconformity is a non-fulfillment of any specified requirement. Keep in mind that ISO guidelines have edited out the word "nonconformance"; therefore, it is most appropriate to use the term “nonconformity.”

Nonconformities can occur in both product and process. As such, nonconforming processes can lead to nonconforming products. Thus, these events should be thoroughly investigated and resolved to prevent recurrence.

As an example of nonconformity:

When quality control analysis determines that the purity of a medicinal product does not meet specifications, the corresponding out-of-specifications result is categorized as a nonconformity. The product will not be approved in this case. Instead, it will be destroyed, as there is no way to reprocess it.

Non-conformance report template - achieve quality outcomes faster! 

Difference between planned and unplanned deviation in pharma

There are two types of deviations: planned and unplanned. Here’s the difference between planned and unplanned deviation in pharma:

• Planned deviations are intentional, short-term departures from an approved process or procedure, executed in a controlled and pre-approved manner. They are supported by risk assessment, justification, and QA authorization before implementation, and are evaluated post-execution to confirm process control. Planned deviations must never replace formal change control.
• Unplanned deviations, on the other hand, are unintentional departures from approved instructions or standards, typically arising from human error, equipment malfunction, or other unforeseen events. These must be promptly documented, investigated to determine the root cause, and followed by corrective and preventive actions (CAPA) as necessary to prevent recurrence.

Both types of deviations require formal documentation, QA oversight, and impact assessment to maintain compliance and product quality. 

A step by step guide on how to handle deviations in pharma

The workflow of a deviation management in pharma process may differ from one organization to another, depending on whether you use a paper-based or electronic quality management system. Typically, we divide the deviation process into six phases.

Here’s a step by step guide on how to handle deviations in pharma:

#1  Identify, report, and document the deviation

In the first phase of managing a deviation in pharma, initial data and evidence are collected. The deviation is documented based on internal procedures. At the very least, the following items should be recorded:

• Name of the observation
• Name of the notifier plus the date and time
• Name and ID of the affected equipment and product
• Process status at the time the event occurred
• A short description of the deviated procedure or standard, possible root causes, etc.
• The type of the deviation is identified: Incident, minor, major, or critical, based on risk management system principles
• Immediate actions have been taken

Alternatively, you can identify the deviation based on the 5W1H approach. Checklists or predefined templates are recommended in this phase.

Employees should be trained to understand the deviation in pharma process so they can report as soon as they deviate, make a mistake, or notice something unusual, preferably on the date it occurs.

This initial step also plays a vital role in tackling the CAPA process since this includes the identification of the problems that require corrective actions. It also identifies the sources used to classify the issues at play.

Sometimes, immediate corrections are taken before the investigation is completed and the root cause is determined. This is because immediate action may mitigate a serious risk or safety issue. If any immediate action (correction) is taken, it should be documented during the identification phase.

#2  Record, investigate, and run a root cause analysis

This is a key phase in how to handle deviations effectively. Any significant deviations should be fully recorded and investigated to determine the root cause and the appropriate corrective and preventive actions (Eudralex: Chapter 1.8, VII).

The deviation should be identified and reported by the personnel involved in the relevant process. However, only qualified individuals should be authorized to issue the event. In addition to that, the investigation report should be approved by a competent person, usually a QA manager. In the absence of a QA manager, a responsible backup can evaluate the report.

The investigation is one of the most important (and the most difficult) phases of this process. Typically, a root cause analysis is unnecessary if the event is categorized as an incident or minor.

However, if it’s major or higher, and the root cause is unknown, a thorough investigation should be performed using root cause analysis tools.

The goal is to determine the core reason why a problem has occurred and which leads to nonconformity or unplanned deviation. This approach is often called Root Cause Analysis (RCA), which is a systematic problem-solving process.

Effective RCA requires critical thinking and a team of multidisciplinary experts to examine every angle. Therefore, a steering team is assigned for every deviation, with representatives and owners from all functional areas. Each team member can offer their expertise to guide the investigation. From there, the deviation can be thoroughly investigated and the root cause promptly corrected.

Both RCA and Quality Risk Management principles should be applied during the investigation. There are reliable tools and techniques for analyzing root causes, including:

• FMEA (Failure Mode and Effect Analysis)
• Process Mapping
• Fault Tree Analysis (FTA)
• Fishbone Diagram (Cause and Effect or Ishikawa)
• 5 Whys

Recommended learning:

Top risk assessment tools that you should be using in your investigations.

Sometimes, even though all subject matter experts are involved and all proper tools and techniques are used, the true root cause(s) of a nonconformity/deviation cannot be determined. In these cases, consideration is given to the most likely root cause(s) so that those can be addressed.

The root causes could originate from different types of errors, including:

• Human: Errors due to human actions, skill gaps, fatigue, distraction, or lack of training.
• Material: Defective raw materials, contamination, wrong grade, or improper storage.
• Measurement: Faulty calibration, inaccurate instruments, or inconsistent data capture.
• Environment: Temperature, humidity, cleanliness, or external factors affecting results.
• Method: Incorrect procedures, poor documentation, or unclear work instructions.
• Machine: Equipment malfunctions, improper maintenance, or automation faults.

#3 Classify deviations according to your risk assessment

Health authorities and regulatory guidance encourage organizations to classify each deviation in pharma/nonconformities based on quality risk management criteria.

Risk-based classification of an event determines its criticality. It also helps to determine the level and scope of the investigation and the efforts needed to look into an event. This is critical, as there aren’t unlimited resources to investigate every event. Simply, you can focus on the most critical ones.

Once the root cause is determined, this phase checks the impacts of the root cause on products in other batches that could have been affected by the event. It is possible for a nonconformity to lead to other deviations.

For example, if the deviation is related to an instrument breakdown during batch production (e.g., pH meter), then all batches manufactured since the last calibration check must be included in the investigation.

This investigation can easily be adjusted if you use an Electronic Quality Management System such as Scilife, as it integrates events with other issues (e.g., change controls, calibration dates, other investigations, etc.).

In general, risk assessment is a risk rating tool, using a scoring system, that helps to categorize an event based on predefined criteria.

You can use a risk assessment tool called FMEA (Failure Modes and Effects Analysis) to categorize deviations. The FMEA model calculates a risk rating using three factors: Severity (S), Probability of Occurrence (P or O), and Detectability (D).

For example,

• Probability (P), or likelihood, could be scored as follows:

• Detectability (D), a similar approach can be used.
• Severity can be applied to measure the impact on quality attributes. This could also be used to assess the potential risk to human health, as well as the risk of loss of a customer. It could also be used to assess environmental risks, etc.

The risk rating is derived by multiplying the Severity (S), Probability (P) of Occurrence, and Detectability (D) to identify the criticality level. You should define at least 2 levels for what is acceptable and what is not acceptable based on your product.

#4 Build a robust CAPA action plan

Once the root cause analysis is completed and the cause leading to the event is found, appropriate corrective and preventive actions (CAPAs) should be identified and documented in an action plan response to the investigation.

Corrective actions are taken to correct the issue, while preventive actions are taken to prevent deviations and non-conformities. Depending on the risk assessment outcome, sometimes no action is needed.

Scilife Tip:

In the previous sections of this step by step guide on how to handle deviations in pharma, we discussed how to handle a deviation, conduct investigations, and perform root cause analysis.

Once you do everything correctly up to this step, it’s time to execute the actions that you’ve planned. This should be very straightforward, as you have already found the root cause and planned actions to resolve it.

However, remember: Many CAPAs look perfect on paper but fail in practice because execution or verification steps are weak.

Before closing a deviation record, confirm that all actions are realistic, resourced, and time-bound. This ensures the next phase (effectiveness verification) has a solid foundation to measure against.

#5 Monitor CAPA effectiveness with regular checks

CAPA effectiveness should be monitored and assessed regularly. Auditors and inspectors expect manufacturers to demonstrate that their quality system is effective.

A system should be able to identify problems quickly and implement effective preventive and corrective actions, but at the same time be able to show that it is also effective. Therefore, the system should have a built-in effectiveness verification system to check actions taken.

Remember that this phase corresponds to the “C” (Check) phase of the Deming Cycle: PDCA (Plan, Do, Check and Act). If the CAPA process is unsuccessful or only partially successful, another CAPA process must be initiated.

Additionally, when the action is a change in the process, additional validation or revalidation activities might be required. Those validation activities generate data and evidence to confirm the effectiveness of the actions taken to eliminate repetition of the deviation or future nonconformity.

#6 Don’t forget to run periodic reviews

Periodic reviews continuously monitor whether deviations and nonconformities recur. This phase determines the validation status and the actions required to maintain the validated state of systems or equipment.

It is intended to show that everything is under control. The monitored data ensures the processes remain fit for their intended use.

Periodic reviews are used to check all significant events, the corresponding investigations, and the effectiveness of the corrective and preventive actions taken.

Reviews can be done by product or process type, equipment, department, etc.

For example, the department where the event originated should gather data over a period related to the effectiveness of the implemented action. Quality Assurance can also be involved in the review to check the effectiveness of the actions taken and to ensure no additional concerns have been added due to the changes.

Scilife Tip:

Now you've effectively closed the loop and reached the end of this step by step guide on how to handle deviations in pharma. But always keep the learning open.

Treat each periodic review as your opportunity to verify not only that individual CAPAs worked, but that your system is learning. Use reviews to strengthen your QMS.

This means periodic deviation reviews should feed into your Quality Management System metrics and Management Review. Use the outcomes to refine SOPs, retrain staff, update risk assessments, or improve equipment maintenance strategies.

This keeps your QMS dynamic and responsive rather than reactive.

Conclusion: Best deviation management software to handle deviations effectively

In conclusion, conducting thorough root cause analyses and effectively handling deviations are essential elements of maintaining the integrity of a quality management system.

This blog post has explored the critical steps involved—from identifying and reporting deviations to investigating them and implementing corrective and preventive actions (CAPAs). Each phase is crucial in ensuring that the quality, safety, and efficacy of products are not compromised.

It is important to remember that a well-managed deviation handling system should not be seen as a cost, but as an investment in quality assurance, risk management, and patient safety.

Using the principles outlined in this article, manufacturers can ensure that their products consistently meet the high-quality standards required for medical use by adhering to a state of control that not only meets but exceeds regulatory standards.

Discover how Scilife’s deviation management software can help you simplify the process for managing deviations. Fewer missed events, fewer compliance issues, and time saved!