<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=489233&amp;fmt=gif">

Using risk-based thinking to manage nonconformities and deviations


Deviations and nonconformities, as all QA professionals know, are at the very heart of quality management. Detecting them is fundamental in preventing quality issues, and paves the way to improvement. However, preventing deviations and nonconformities from occurring in the first place, through effective risk-based thinking and subsequent risk management strategies, is key.

Risk has always played a big part in ISO standards, but updated versions have made it more important than ever. Standards like ISO 9001:2015 and 13485:2016 require companies to apply risk-based thinking to a variety of processes across planning, operations, and performance evaluation.  

So, what exactly is risk-based thinking, and how do you implement it in your organization?


What is risk-based thinking and how is it different from risk management?

The idea behind risk-based thinking is that it helps an organization to identify risks within crucial processes during the realization of products and services, which allows companies the opportunity to decide if action is required at an early stage.

Using risk-based thinking basically means performing a risk evaluation when controls, processes, and improvements are being established in a QMS. Unlike risk management, processes to track these risks, or to re-assess risk and take additional actions isn’t part of risk-based thinking. It’s really just thinking about risk in the earliest stages. ISO’s risk-based thinking requirements concentrate on incorporating risk into decision-making, without formalizing exactly how to do it.

Risk-based thinking is not just a method to prevent negative outcomes such as undesired deviations and nonconformities. It can also help identify opportunities: the positive side of risk! Although a positive deviation of the risk can provide an opportunity, not all positive effects of risk result in opportunities. Sounds confusing? Dive into this expert discussion, which explains the point in-depth.


How can I implement risk-based thinking in my QMS?

The new risk-based thinking requirements mean that companies need a way to make risk an integral part of their QMS, and there are several tools that can help. 

For a detailed look into which tools are excellent for incorporating risk-based thinking into your operations, read our blog article
5 Risk Assessment tools used by Life Sciences Companies


At what stages should I implement risk-based thinking?

Let’s look at how ISO 9001:2015 incorporates risk concepts into its requirements.

Areas where risk appears in
the new standard include:

    • Organizational context:
      When setting up the context of the organization, your company must identify risks that could impact quality objectives. This includes evaluating the risk of producing nonconforming products, which may differ depending on the type of products manufactured.

    • Leadership:
      Your company’s management must commit to addressing risks and opportunities that may impact product quality.

    • Planning:
      It’s not just about identifying risks and opportunities, you also need to create plans for how to deal with them.

    • Operation:
      Your company must implement and control the actions identified during the planning steps.

    • Performance evaluation:
      Your company must track and analyze any risks and opportunities identified.

    • Improvement:
      Your company must make improvements based on any changes in risk.


How do I conduct an NC/deviation process using risk-based thinking?

A thorough procedure for managing nonconformities and deviations should include the below considerations.


  • Who should report and who should handle an NC/deviation? 

Define who reports the nonconformity or deviation in the first place, and the responsible person who they should report it to. Think about potential risks here.


  • How soon should an NC/deviation be reported and handled?

Define the maximum time permitted from observing a deviation or nonconformity to reporting it, based on a risk analysis. Usually, the rule is to report a deviation immediately - but it depends on the importance of the deviation. The original observer should notify their supervisor or manager to issue the report, typically within the same day or shift.

The subsequent NC/deviation investigation should be thorough and completed as quickly as possible. This time period should also be specified, usually by a number of days. Deviations are breaching (negligence) of the controlled processes, so they should be handled immediately. It will help to base this decision on deviation severity.


  • The severity of NC/deviation (category)

Define the severity of risk that the NC/deviation poses, and prepare potential CAPAs. Create a categorization chart based on severity level (e.g. minor, major, critical) and take necessary steps according to it. This is important for a QA department to prioritise urgent or serious NC/deviations.


  • Required information in the NC/deviation description

The details that should be recorded about an NC/deviation when it’s issued are essential to define beforehand, so that important information isn’t missed and the NC/deviation is categorized correctly. Missing information may cause a report to be closed ineffectively. If areas of information are missing, some risks may also not be apparent or considered when taking action. 

A well-described NC/deviation is the single most crucial step in the deviation management sequence. To make sure every important detail is included, you can use the handy 5W1H method (What? Who? Where? When? Why? How?). Additionally, all details should be in chronological order as much as possible.


6 phases graphic that shows how to proceed using the 5W1H method to manage nonconformities and deviations (risk-based thinking) | Scilife

Asking the 5W1H questions allows you to fill in all the details when issuing a deviation, and makes sure you don’t miss potentially important information.


Scilife’s modules facilitate
risk-based thinking

When thinking about risk in your quality systems, Scilife not only has a dedicated Risk Assessment module and links to powerful CAPA management and Change Control modules, it also makes logging events like deviations and nonconformities quick and accessible to everyone through a specialised Events module

Our Events module really is your best friend when it comes to infusing risk-based thinking in your NC/deviation management processes.

Our purpose-built and highly customizable module allows you to create as many data fields (with preconfigured options chosen by you) as you need, so no information is missed when a deviation is logged. You can also set up handy automations in Scilife. For example, setting up automatic notifications to the responsible persons when a deviation is submitted, so that your QA team is immediately notified by the platform and action can be taken quickly. No emails or phone calls between employees are required! This is especially useful when a deviation is urgent and there’s no time to lose.

Simplifying the deviation logging process for employees means quicker follow-ups, fewer compliance issues and time saved for everyone!


To Sum up

Risk-based thinking is a useful and important component when managing nonconformities and deviations in your quality system. Nowadays, the ISO standards pertaining to the life science industry even demand it, so it’s vital to infuse risk into all steps of your nonconformity/deviation management process, from reporting to follow up. With Scilife by your side, daily risk-based thinking becomes effortless.


Most pharma and medical device companies are increasingly adopting electronic Quality Management Systems (eQMS) to streamline their quality management processes. A well-designed quality management system helps you to meet customer satisfact...