Deviations are departures from established procedures or standard practices that could impact the quality or safety of a drug. They can happen (or come to light) at any stage of the drug design, manufacturing or marketing process. They can pose a serious risk to future patient safety (and overall business efficiency) if they are not tackled promptly and effectively.
Deviation management is a systematic process for identifying, investigating and documenting quality events that deviate from established protocols as you develop and manufacture pharma products.
Historically, deviations have been grouped into planned and unplanned deviations.
Planned deviations are pre-approved changes in response to an identified need for a temporary or permanent alteration of processes. This might be a reaction to the need for a new approach in design or development or for substituting raw materials or equipment where specified items are unavailable.
However, many regulators and workers in the sector would argue a ‘planned deviation’ is not a deviation at all but a change in process that needs to be risk-assessed and controlled like any other. For that reason, this guide will focus on dealing with unplanned deviations (aka non-conformances) in the pharma sector.
For more information on managing unplanned deviations, you can read our guide to implementing an effective change control process in the pharmaceutical industry.
On the other hand, unplanned deviations are unforeseen events that require action to correct and prevent recurrence. They range from emergency incidents that require immediate correction to minor issues that do not represent a significant threat to quality but should be corrected to improve efficiency.
Controlling deviations in the process is a huge regulatory focus in the pharma space because of the complexity of managing Quality Control in manufactured products. As QA pioneer Harold F. Dodge famously said, “You cannot inspect quality into a product’ - and that's particularly true in pharma production where millions of pills are rolling off production lines every day.
Collecting accurate information about deviations in SOPs and triggering appropriate remedial action when you find them is the way you prevent dangerous products from emerging from factories in the first place. It’s how you prove to auditors that you have the procedures in place to control this risk.
As the FDA put it:
“An effective QMS (“Quality Management Oversight system”) establishes and maintains a state of control throughout the product lifecycle via systems that vigilantly oversee process performance and product quality.”
Source FDA; Establishing a Culture of Quality
For these reasons, deviation management underpins the standards and regulations that govern the design and production of safe and efficacious drugs around the world.
International guidelines and regulations define the requirements for deviation management in the pharma and biosciences sector.
Key among these are:
ICH Q10 (Pharmaceutical Quality System) outlines a model for an effective quality management system, including handling deviations. It emphasises the importance of identifying, documenting, evaluating, and investigating deviations while implementing corrective and preventive actions (CAPA).
International requirements for pharmacovigilance, such as those in the EMA regulations, require continuous monitoring and documentation of deviation management processes. The regulation states that companies must keep:
“Records to demonstrate that deficiencies and deviations from the established quality system are monitored, that corrective and preventive actions have been taken, that solutions have been applied to deviations or deficiencies and that the effectiveness of the actions taken has been verified”.
GMP guidelines, as enforced by regulatory bodies like the U.S. Food and Drug Administration (FDA), the European Medicines Agency (EMA), and others, require the establishment of procedures for dealing with deviations. These regulations also demand a systematic approach to recording, investigating, and correcting deviations to prevent recurrence.
GCP guidelines govern the planning and execution of clinical trials. The EMA regulations define the need to systematically identify, classify, investigate and resolve deviations as part of the Quality Management System. It should be noted that poorly managed clinical trial data is a major cause of pharmaceutical project failure, so quality assurance has become a regulatory priority.
ISO 9001, a standard for quality management system, includes requirements that can be applied to deviation management. It stresses the need for continuous improvement and the importance of documenting deviations and non-conformances to enhance product quality.
Different types of deviation and the risk they pose to your customers and business must trigger different responses within your company.
For example, Regulation (EU) No 1252/2014 of the GMP requires you to conduct risk-based evaluations of detected deviations to ensure they are handled appropriately. The GCP guidelines require you to categorise deviations as Critical, Major or Minor and supply distinct definitions for each.
Most businesses adopt this framework to categorise deviations in their pharma development and manufacturing process, ensuring they are always addressed with the right level of detail and urgency.
"Drop everything and fix this immediately"
A critical deviation is a severe non-conformance from established procedures or standards that poses urgent risks to product quality, patient safety, or compliance with regulatory requirements. Examples might include:
"Make this a high priority"
A major deviation indicates a significant departure from required procedures or standards that impacts a product’s quality, safety, or efficacy but may not directly impact patients. Examples might include:
"Fix when you can"
A minor deviation involves divergences from established procedures or standards that have a noticeable but limited impact on product quality or compliance capabilities.
"You might like to think about..."
An OFI is an unplanned or uncontrolled event that does not directly affect the manufacturing process parameters or product quality. However, its occurrence may merit a change in process to secure future efficiencies and further minimise risk.
Every business needs a process for identifying, categorising and acting on different levels of deviation events according to the risk they pose to end users, your operations and your compliance status.
You can download Cognidox's suggested severity definitions to help develop a system that meets regulatory requirements and works for you.
If you invest in an electronic quality management system (eQMS) developed for pharmaceutical companies, it may come pre-loaded with templates and workflows for deviation management. These will help you ensure quality events automatically trigger a consistent and robust response.
Typically, they look to animate process in line with GxP requirements for deviation management.
Read our guide to Corrective and Preventive Actions for life science companies
Your system should also have a mechanism in place to:
In this way, you can create a virtuous circle of analysis and optimisation to ensure your business builds a long-term resistance to expensive and potentially dangerous process failures.
Pharma development is complex, and the potential for process deviations that have serious business consequences is vast.
However, implementing a deviation management process can also be fraught with risk. Without a digitised and automated process for reporting, you can end up misreporting incidents that require investigation and correction. But too many digital controls, imposed via an overly rigid eQMS can result in unnecessary investigations that slow down your process and strangle innovation.
Many eQMS will come with preloaded deviation management and CAPA SOPs that you cannot effectively change or customise to fit the way you work. Introducing these systems at a moment when you are scaling operations can lead to ‘over processing’ and a world of bureaucracy that does not enhance your compliance capabilities.
While a robust system for deviation management is essential as you digitise operations, you should look for the digital tools and templates that allow you to customise your approach as much as possible.