Deviation Handling and Quality Risk Management (Part – I)

Deviation Handling and Quality Risk Management


The aim is to contribute to the understanding of a quality risk management approach in the handling of deviations from a practical perspective as per WHO expectations. 

The intent is to support the effective and timely implementation of tools related to deviation management encountered during vaccine and biological manufacturing.


This note for guidance provides vaccine and biological manufacturers with non-binding information concerning the criteria currently used by WHO regarding deviation management as part of the assessment of pre-qualified human vaccines.

Among the essential elements of a well-established Quality Management System (QMS), deviation handling plays a key role in assuring quality in products and contributing to continuous improvement.

Manufacturers are expected to “establish processes and define appropriate controls for measurement and analysis to identify non-conformities and potential non-conformities; defining when and how corrections, corrective actions, or preventive actions should be undertaken.

These actions should be commensurate with the significance or risk of the non-conformity or potential nonconformity”.

As part of a comprehensive Corrective and Preventive Actions (CAPA) program, once a deviation is detected, it needs to be contained with immediate actions (i.e., corrections), the root causes identified as necessary, and systemic actions implemented (i.e., corrective actions) as applicable in order to prevent future same or similar non-conformances.

GMPs have evolved as a consequence of the inherent risks to the product during manufacturing operations in order to prevent significant deviations.

Quality Risk Management (QRM) has been proposed as a strategy to manage risk in a systematic and documented manner and has become a requirement of modern GMPs as recommended by international standards like WHO or ICH Q9.

An efficient deviation handling system should implement a mechanism to discriminate events based on their relevance and to objectively categorize them, concentrating resources and efforts on good-quality investigations of the root causes of relevant deviations.

A strong CAPA system requires this efficient deviation handling system which evaluates the event according to the associated risk, categorizes it and acts accordingly in a timely manner, and verifies the effectiveness of the actions taken.

As a formal or informal tool, Quality Risk Management (QRM) has always been part of the analysis process linked to the handling of events and deviations in pharmaceutical operations.

This guidance proposes a possible strategy to differentiate non-significant events which actually do not affect the product’s quality or violate any norm or defined procedure, from actual deviations which could impact the product´s quality.

Deviation handling

Quality Risk Management was mainly designed to be used prospectively when manufacturing operations are defined and validated. Therefore, potential deviations are identified and avoided by implementing risk control measures and preventive actions.

QRM is based on the identification of product attributes and operational parameters which are critical to manufacturing operations in order to identify in advance their associated risks and describes how this information may be used as criteria for the categorization and treatment of events, and eventually, deviations.

Risk management in dealing with deviations is not only practical but provides a framework for a decision-making process based on a scientifically sound and objective approach, while also enabling decisions to be confidently upheld before the regulatory authorities.

Under this approach, a sequence of steps may be identified when handling events and possible deviations:

  • Event Detection
  • Decision-Making Process / Deviation Categorization
  • Deviation Treatment
  • Root cause investigation
  • CAPA

Event detection:
The manner in which personnel reacts when in presence of an event is the first challenge to the system, and it largely depends on their level of training, qualification, commitment, and support form upper management.

As a basic requirement, personnel is expected to be alert and aware of possible undesirable events and clearly know what to do in terms of documenting and communicating them.

The way personnel reacts and makes decisions can be systemized and improved by the use of a decision tree to initially screen events based on their risk and impact on the product in order to categorize, record, and investigate them as needed.

Deviation Categorization
The decision tree described in Diagram 1 is a simplified risk assessment that answers the following questions when an event is encountered:

a. Can the event affect a product attribute, manufacturing operational parameter or the product’s quality?
b. Does the event contradict or omit a requirement or instruction contemplated in any kind of approved written procedure or specification?

Should the answer be NO for questions a. and b? above, the event may be considered an Incident (irrelevant event, not impacting the product´s quality).

It nevertheless needs to be documented (e.g.: recorded in batch record or logbook, as appropriate) in case it needs to be retrieved later as part of an investigation as applicable.

The following are possible examples of incidents. It is noted that each event needs to be analyzed as described above developing objective and justified criteria and avoiding the natural bias from different people or groups.

The examples below should be considered as that only, and they could be categorized differently with proper justification:

– Temporary power failure in a warehouse where no temperature-sensitive materials are stored, with no temperature excursion from the established range.

– Production process parameters or environmental monitoring data reach alert levels but are still within an acceptable range.

On the other hand, should the answer be YES for questions a. and b? above (or there is a degree of doubt), and based on the decision tree, the event shall follow the path toward a deviation category.

Deviations should require a higher level of analysis and documentation, and are usually covered by a deviation handling procedure.

A decision needs to be made to categorize the deviation as Minor, Major, or Critical.

This decision process should be based as applicable and as possible on the impact (or hazard) and risk on the process and product quality by the use of any QRM tool. 

Minor Deviations

When the deviation does not affect any quality attribute, a critical process parameter, or equipment or instrument critical for process or control, it would be categorized as Minor and treated as such by the applicable procedure.

Possible examples of minor deviations are given below:

– Skip of FEFO principle (first expired-first out) in raw material handling.
– Balance out of tolerance used to determine gross weight of raw materials upon reception.
– Pressure differential out of established limits in class D washing area.
– Inadequately trained personnel to perform warehouse cleaning activities.

Major Deviations

When the deviation affects a quality attribute, a critical process parameter, equipment or instrument critical for process or control, of which the impact to patients (or personnel/ environment) is unlikely, the deviation is categorized as Major requiring immediate action, investigation, and documented as such by the appropriate SOP.

Possible examples of major deviations  are given below:

– Use of unapproved reference standards to test an API or drug product.
– Inadequately trained personnel to perform sterility tests.
– Production started without line clearance.
– Filter integrity test has been carried out using equipment with no documented installation qualification completed.
– Gross misbehavior of staff in a critical aseptic process.
– Pressure differential out of established limits in aseptic fill areas.
– Operational parameter out of range for a parameter defined as non-critical.
– Untrained personnel responsible for segregating the approved and rejected raw materials in the warehouse

Critical Deviations

When the deviation affects a quality attribute, a critical process parameter, an equipment or instrument critical for process or control, of which the impact to patients (or personnel or environment) is highly probable, including a life-threatening situation, the deviation is categorized as Critical requiring immediate action, investigated, and documented as such by the appropriate SOP.

Possible examples of critical deviations are given below:

– Expired or rejected API component used.
– Sterilization record of product-contact material used in the aseptic filling process not available or unacceptable.
– Incomplete inactivation stage of fermentation.
– Temperature out of control limit during detoxification stage.


 Note 1:

Deviations need to be analyzed based on objective and justified criteria avoiding the natural bias from different people or groups. Therefore, the examples of minor, major, and critical deviations given above should be considered as that only, and they could be categorized differently with proper justification.

Note 2:

A pre-existent QRM will always help answer these questions and categorize the events. When QRM information is not available, all process parameters are potentially critical until there is sufficient data (process and/or developmental) to justify the contrary.

For More Updates Visit –


Reference: WHO (Deviation Handling and Quality Risk Management)

About Pharmaceutical Guidanace

Ms. Abha Maurya is the Author and founder of pharmaceutical guidance, he is a pharmaceutical Professional from India having more than 18 years of rich experience in pharmaceutical field. During his career, he work in quality assurance department with multinational company’s i.e Zydus Cadila Ltd, Unichem Laboratories Ltd, Indoco remedies Ltd, Panacea Biotec Ltd, Nectar life Science Ltd. During his experience, he face may regulatory Audit i.e. USFDA, MHRA, ANVISA, MCC, TGA, EU –GMP, WHO –Geneva, ISO 9001-2008 and many ROW Regularities Audit i.e.Uganda,Kenya, Tanzania, Zimbabwe. He is currently leading a regulatory pharmaceutical company as a head Quality. You can join him by Email, Facebook, Google+, Twitter and YouTube

Check Also


VIRTUAL INSPECTION PURPOSE: To lay down the procedure for establishing a comprehensive system of virtual …