Medicinal products and medical devices should be manufactured at a high level of quality to ensure they are fit for purpose. Manufacturers must also ensure patients are not at risk due to inadequate product quality.
Providing high-quality products means manufacturing every unit to be safe, effective, and free from contamination or defects.
This is where an appropriate Quality Management System (QMS) comes in. A QMS that incorporates GxP and Quality Risk Management can monitor the effectiveness of the manufacturing process. A quality system is effective when the manufacturer identifies problems quickly and implements corrective and preventive actions. Therefore, the key component of any quality system is how you handle deviations.
Today, we will discuss how to handle deviations in pharma and how to perform the corresponding root cause analysis, investigation, conclusion, and follow-up.
What is a deviation?
A deviation is defined as any measurable difference between an observed value and an expected or ‘normal’ value for a process or product condition, or a departure from approved standards, instructions, procedures, or specifications. The point at which such a departure from the norm becomes a true deviation must be defined.
Deviations vs Nonconformities
Nonconformity
A nonconformity is a non-fulfillment of any specified requirement. Keep in mind that ISO guidelines have edited out the word "nonconformance", therefore it is most appropriate to use the term “nonconformity.”
Nonconformities can occur in both product and process. As such, nonconforming processes can lead to nonconforming products. Thus, these events should be thoroughly investigated and resolved to prevent recurrence.
As an example of nonconformity:
When quality control analysis determines that the purity of a medicinal product does not meet specifications, the corresponding out-of-specifications result is categorized as a nonconformity. The product will not be approved in this case. Instead, it will be destroyed, as there is no way to reprocess it.
Deviation
There are two types of deviations: planned and unplanned.
- Planned deviations are short-term deviations or changes from an existing process or procedure that are intended to run in a controlled manner, as part of the new process validation. They are intentional and pre-approved by Quality Assurance before execution. It is important to highlight that a planned deviation is not a substitute for Change Management. Current guidelines state that any deviation from instructions or procedures should be avoided as much as possible. However, some planned deviations occur and are allowed with justification.
- Unplanned deviations correspond to any departure from approved instructions or standards that appears unexpectedly, due to human error, equipment failure, or malfunction.
How to handle deviation in pharma
The workflow of a deviation management process may differ from one organization to another, depending on whether you use a paper-based or electronic quality management system. Typically, we divide the deviation process into six phases:
- Phase 1: Deviation identification and reporting
- Phase 2: Investigation and root cause analysis
- Phase 3: Risk assessment
- Phase 4: Action plan (CAPAs)
- Phase 5: CAPA effectiveness checks
- Phase 6: Periodic reviews
Deviation identification and reporting
In the first phase, initial data and evidence are collected. The deviation is documented based on internal procedures. At the very least, the following items should be recorded:
- Name of the observation
- Name of the notifier plus the date and time
- Name and ID of the affected equipment and product
- Process status at the time the event occurred
- A short description of the deviated procedure or standard, possible root causes, etc.
- The type of the deviation is identified: incident, minor, major, or critical based on Risk Management System principles
- Immediate actions have been taken
Alternatively, you can identify the deviation based on the 5W1H approach. Checklists or predefined templates are recommended in this phase.
Employees should be trained to understand the deviation process so they can report as soon as they deviate, make a mistake, or notice something unusual, preferably on the date it occurs.
This initial step also plays a vital role in tackling the CAPA process since this includes the identification of the problems that require corrective actions. It also identifies the sources used to classify the issues at play.
Sometimes, immediate corrections are taken before the investigation is completed and the root cause is determined. This is because immediate action may mitigate a serious risk or safety issue. If any immediate action (correction) is taken, it should be documented during the identification phase.
Deviation identification and reporting
Any significant deviations should be fully recorded and investigated, to determine the root cause and the appropriate corrective and preventive actions (Eudralex: Chapter 1.8, VII). The deviation should be identified and reported by the personnel involved in the relevant process. However, only qualified individuals should be authorized to issue the event. In addition to that, the investigation report should be approved by a competent person, usually a QA manager. In the absence of a QA manager, a responsible backup can evaluate the report.
The investigation is one of the most important (and the most difficult) phases of this process. Typically, a root cause analysis is unnecessary if the event is categorized as incident or minor. However, if it’s major or higher, and the root cause is unknown, a thorough investigation should be performed using root cause analysis tools.
The goal is to determine the core reason why a problem has occurred and that leads to nonconformity or unplanned deviation. This approach is often called Root cause analysis (RCA) which is a systematic problem-solving process.
Effective RCA requires critical thinking and a team of multidisciplinary experts to examine every angle. Therefore, a steering team is assigned for every deviation, with representatives and owners from all functional areas. Each team member can offer their expertise to guide the investigation.
From there, the deviation can be thoroughly investigated and the root cause promptly corrected.
Both RCA and Quality Risk Management principles should be applied during the investigation. There are reliable tools and techniques for analyzing root causes including:
- FMEA (Failure Mode and Effect Analysis)
- Process Mapping
- Fault Tree Analysis (FTA)
- Fishbone Diagram (Cause and Effect or Ishikawa)
- 5 Whys
Further Reading: 5 Risk Assessment tools used by Life Sciences Companies
Sometimes, even though all subject matter experts are involved and all proper tools and techniques are used, the true root cause(s) of a nonconformity/deviation cannot be determined. In these cases, consideration is given to the most likely root cause(s) so that those can be addressed.
The root causes could originate from different types of errors including:
- Human
- Material
- Measurement
- Environment
- Method
- Machine
Risk assessment
Health authorities and regulatory guidance encourage organizations to classify deviations/nonconformities based on quality risk management criteria.
Risk-based classification of an event determines its criticality. It also helps to determine the level and scope of the investigation and the efforts needed to look into an event. This is critical, as there aren’t unlimited resources to investigate every event. Simply you can focus on the most critical ones.
Once the root cause is determined, this phase checks the impacts of the root cause on products in other batches that could have been affected by the event. It is possible for a nonconformity to lead to other deviations.
For example, if the deviation is related to an instrument breakdown during batch production (e.g., pH meter), then all batches manufactured since the last calibration check must be included in the investigation.
This investigation can easily be adjusted if you use an Electronic Quality Management System, as it integrates events with other issues (e.g., change controls, calibration dates, other investigations, etc.).
In general, risk assessment is a risk rating tool, using a scoring system, that helps to categorize an event based on predefined criteria.
You can use a risk assessment tool called FMEA (Failure Modes and Effects Analysis) to categorize deviations. The FMEA model calculates a risk rating using three factors: Severity (S), Probability of Occurrence (P or O), and Detectability (D).
For example,
- Probability (P), or likelihood, could be scored as follows:
- Detectability (D), a similar approach can be used.
- Severity can be applied to measure the impact on quality attributes. This could also be used to assess the potential risk to human health, as well as the risk of loss of a customer. It could also be used to assess environmental risks, etc.
The risk rating is derived by multiplying the Severity (S), Probability (P) of Occurrence, and Detectability (D) to identify the criticality level. You should define at least 2 levels for what is acceptable and what is not acceptable based on your product.
Building a CAPA action plan
Once the root cause analysis is completed and the cause leading to the event is found, appropriate corrective and preventive actions (CAPAs) should be identified and documented in an action plan response to the investigation. Corrective actions are taken to correct the issue, while preventive actions are taken to prevent deviations and non-conformities. Depending on the risk assessment outcome, sometimes no action is needed.
Tips and Recommendations
In the previous sections, we discussed how to handle a deviation, conduct investigations, and perform root cause analysis. Once you do everything correctly up to this step, it’s time to execute the actions that you’ve planned. This should be very straightforward as you have already found the root cause and planned actions to resolve it.
However, the importance of effectiveness checks of actions taken is often overlooked and underestimated.
CAPA effectiveness checks
CAPA effectiveness should be monitored and assessed regularly.
The auditors and inspectors expect manufacturers to demonstrate that their quality system is effective. A system should be able to identify problems quickly and implement effective preventive and corrective actions but at the same time be able to show that it is also effective. Therefore, the system should have a built-in effectiveness verification system to check actions taken.
Remember that this phase corresponds to the “C” (Check) phase of the Deming Cycle: PDCA (Plan, Do, Check and Act). If the CAPA process is unsuccessful or only partially successful, another CAPA process must be initiated.
Additionally, when the action is a change in the process, additional validation or revalidation activities might be required. Those validation activities generate data and evidence to confirm the effectiveness of the actions taken to eliminate repetition of the deviation or future nonconformity.
Periodic reviews
Periodic reviews continuously monitor whether deviations and nonconformities reoccur. This phase determines the validation status and the actions required to maintain the validated state of systems or equipment. It is intended to show everything is under control. The monitored data ensures the processes remain fit for their intended use.
Periodic reviews are used to check all significant events, the corresponding investigations, and the effectiveness of the corrective and preventive actions taken. Reviews can be done by product or process type, equipment, department, etc.
For example, the department where the event originated should gather data over a period related to the effectiveness of the implemented action. Quality Assurance can also be involved in the review to check the effectiveness of the actions taken and to ensure no additional concerns have been added due to the changes.
Conclusion
In conclusion, conducting thorough root cause analyses and effectively handling deviations are essential elements of maintaining the integrity of a quality management system. This blog post has explored the critical steps involved—from identifying and reporting deviations to investigating them and implementing corrective and preventive actions (CAPAs). Each phase is crucial in ensuring that the quality, safety, and efficacy of products are not compromised.
It is important to remember that a well-managed deviation handling system should not be seen as a cost, but as an investment in quality assurance, risk management, and patient safety. Using the principles outlined in this article, manufacturers can ensure that their products consistently meet the high-quality standards required for medical use by adhering to a state of control that not only meets but exceeds regulatory standards.
Find out how a smart QMS can help you handle deviations effectively.