THE CHALLENGE OF DEVIATION MANAGEMENT

   

GMP/GDP – On Demand Online Training

You can book the desired online training from our extensive database at any time. Click below for more information.

   

Stay informed with the GMP Newsletters from ECA

The ECA offers various free of charge GMP newsletters  for which you can subscribe to according to your needs.

"Humans plan and God laughs." The simple truth is that things will go wrong from time to time. In the world of pharmaceuticals, we need to ensure that we have robust processes and procedures in place to deal with such situations.

How do we structure such processes and procedures? Some companies call them incidents; others events; more deviations; and my preference - non-conformances. When an unplanned event arises it may or it may not result in a deviation, or stepping outside of normal procedure. Where it does, it must be handled accordingly.

We can call it a deviation, but in my view, the term 'non-conformance' works best as it can reflect all types of scenarios, including non-conforming materials; process deviations; failure to comply with SOPs; validation out-of-specification results (OOSs) and confirmed lab OOSs. I'm sure there are lots more examples that you can add. We can have a central repository of information on problem scenarios to help us perform our trend evaluations and holistic quality management reviews. ICH Q9 "Quality Risk Management" and ICH Q10 "Pharmaceutical Quality Systems" are the new 'kids on the block' in terms of quality management guidelines and they are welcomed in my view, as they empower us to handle issues that arise in our pharma operations on the basis of risk to product quality.

We need to have a clear understanding of the steps involved in managing non-conformances.

1. Reporting a non-conformance

This is an obvious first step; however, if it is not executed well it is unlikely that the subsequent stages of the non-conformance handling process will be effective. If the key details of the non-conformance are not captured in real-time, then being mere humans, we will forget the details of the occurrence very quickly. So, don't accept non-conformance procedures that allow any more than same day reporting or reporting by someone who wasn't party to the non-conformance when it arose - they simply won't work!

 2. Immediate action

Sometimes it is necessary to secure the batch or contain the problem by taking immediate corrective action, for example, segregating bulk or finished product. It is important that this is done without delay to minimise the potential adverse impacts of the occurrence.

Root Cause Analysis

Recommendation

Berlin, Germany4/5 December 2024

Root Cause Analysis

3. Assigning criticality

Be careful of this; if anything, err on the side of caution! The process flow for managing a 'major' non-conformance versus a 'minor' non-conformance can be completely different and options for formally assessing risk or performing a root cause analysis can be excluded from the set of actions required for a 'minor' non-conformance. If you assign criticality in advance of having completed your investigations, you may need to revisit it when you have identified probable cause(s).

4. Planning an investigation

The investigation is a critical part of the non-conformance management process. It needs to be done by personnel who are sufficiently experienced and, in my view, by people who think laterally. A good investigation requires the involvement of a team - a team of different disciplines and different perspectives.

5. Root cause(s) analysis

How often do we actually identify the true root cause(s) when we investigate a non-conformance? Very often we don't use formal root cause analysis tools such as the five why's or fishbone analysis and instead jump to conclusions too quickly and assign 'human error' as an easy way out. After all, if this allows us to close our non-conformance within 30 days and perhaps earn our performance bonus, what incentive is there to do a proper analysis? And that's not all! How often do we consider the possibility of multiple root causes? Wow, that's asking a lot, but it is absolutely necessary because as we know, nothing in life is simple, and when things go wrong, there are often multiple contributory causes that we need to address.

6. Recurrence analysis

This is a fundamental part of an investigation, but I am giving it a whole title to itself because typically, it is not performed well or even at all! Do we even clearly define what we mean by recurrence in our non-conformance management procedures? Recurrence should be linked primarily with root cause, which brings us full circle - we can't do effective recurrence analysis without having performed effective root cause analysis. However, recurrence should also take account of time/history. Be careful here though; it is not valid to assign a look-back period of 6 months if you are only manufacturing that product periodically - you need to have a (statistically) relevant data set on which to perform your analysis.

7. Risk Assessment

So, we have performed a robust investigation, root cause and recurrence analyses, and now we need to evaluate the risk from the non-conformance to process control and product quality. We must not forget that we are manufacturing medicines that will be taken by people who are sick and whose health may be compromised. We owe each and every one of them a duty of care to ensure that we evaluate the impact or risk of the non-conformance on the suitability of our product to be consumed. To evaluate this we must perform a formal risk assessment for major non-conformances, and I would suggest, for minor, recurring non-conformances, as these could be ticking time-bombs. Oh dear! If I have classified the non-conformance as a minor non-conformance at the start of the non-conformance management process and it turns out to be a major non-conformance, I won't even be prompted by my computerised system to evaluate the need for a formal risk assessment. So what does my SOP tell me?

And don't forget that a risk assessment is not limited to evaluating quality risks related to the batch or batches that are impacted directly by the non-conformance. There may be implications for other batches or products on the market.

8. Escalation process

We need to constantly evaluate the need to escalate a non-conformance to senior management based on the seriousness of the issue. As part of this, we need to review the categorisation that we have assigned to the non-conformance when we opened the non-conformance record and we may need to change it from a minor to a major non-conformance if our investigations demonstrate the need. Also, be aware of requirements for notification of product quality defects; a number of national regulatory agencies have published guidance documents on this topic.

9. Identifying, assigning and approving CAPAs

Let us remind ourselves of what Corrective and Preventive Actions (CAPAs) are. Corrective actions are those actions that are taken to remediate a situation. They can be immediate, short or long-term actions. Preventive actions are those actions that are taken to prevent the problem from arising again. Effective root cause analysis is the key to identifying appropriate CAPAs.

10. Implementing CAPAs

Confirmation of satisfactory implementation and effectiveness of CAPAs is required. Effectiveness checks should be specific to each CAPA and it is important to identify early detection points to monitor for recurrence as discussed above.

11. Close out

Another important element of non-conformance and CAPA management is the timelines for closure of CAPAs. It is recommended that a risk based approach is used to monitor key steps in the process. Typically, the target for implementation is 30 days. However, in practice this may need to be longer. Ok, in theory, but has proper justification been provided and documented? Extended closure timelines will need approval by Quality Management.

12. Review, analysis and trending

As part of the periodic quality review programme (e.g. quarterly), Quality Management should routinely analyse reports of non-conformances and CAPA s to determine trends in non-conformances reported, recurrence and effectiveness of CAPA s. A summary overview should be reported to the Senior Management team. We know that ICH Q10 identifies this as best practice - but are we doing it as well as we could or should?

13. Management of 3rd parties

Technical and quality agreements should be in place to define requirements for 3rd parties to report all deviations and non-conformances to the contract giver. Another important point to note is the reporting process for non-conformances by a CMO/contract laboratory. Will all deviations be reported? Will only minor deviations be reported? How does the contractor define a minor non-conformance? An impact assessment of these non-conformances is required by Quality Management and these assessments should be documented. Third party audits of your suppliers should incorporate verification of non-conformance reporting.

HPLC Data Integrity - Live Online Training

Recommendation

22/23 January 2025

HPLC Data Integrity - Live Online Training

14. Opportunities for Improvement (OFIs) and Continuous Quality Improvements (CQIs)

All personnel involved in the reporting of non-conformances and in CAPAs should aim to identify OFIs, which may be submitted to the programme for continuous quality improvement coordinated by Quality Management.

The bottom line is - investigating the cause of a quality failure or other production problem is something that all pharmaceutical companies must do - some more frequently than others! Detailed and structured procedures are required to deal with these non-conformances - the more comprehensive and structured the investigation process is, the more effective it will be!

Author:
Ann McGee
... B.Sc.(Pharm), M.Sc., MPSI is the Managing Director and Principal Consultant with McGee Pharma International, providing quality, regulatory compliance and training services and products to the pharmaceutical industry worldwide.

Go back

To-Top
To-Bottom