A Guide to Deviation Management in the Pharma & Bioscience Sectors

deviation_managementManaging deviations from standard operational procedures is critical to product quality and regulatory compliance in the pharmaceutical and biosciences industries. Here's a short guide to developing a deviation management process to meet these demands while keeping your business agile. 

Deviations are departures from established procedures or standard practices that could impact the quality or safety of a drug. They can happen (or come to light) at any stage of the drug design, manufacturing or marketing process. They can pose a serious risk to future patient safety (and overall business efficiency) if they are not tackled promptly and effectively.

What is deviation management?

Deviation management is a systematic process for identifying, investigating and documenting quality events that deviate from established protocols as you develop and manufacture pharma products.  

Historically, deviations have been grouped into planned and unplanned deviations.

Download our easy to use non-conformance report template (in Word Format)What are planned deviations?

Planned deviations are pre-approved changes in response to an identified need for a temporary or permanent alteration of processes. This might be a reaction to the need for a new approach in design or development or for substituting raw materials or equipment where specified items are unavailable.

However, many regulators and workers in the sector would argue a ‘planned deviation’ is not a deviation at all but a change in process that needs to be risk-assessed and controlled like any other.  For that reason, this guide will focus on dealing with unplanned deviations (aka non-conformances) in the pharma sector.

For more information on managing unplanned deviations, you can read our guide to implementing an effective change control process in the pharmaceutical industry.

What are unplanned deviations?

On the other hand, unplanned deviations are unforeseen events that require action to correct and prevent recurrence. They range from emergency incidents that require immediate correction to minor issues that do not represent a significant threat to quality but should be corrected to improve efficiency. 

The importance of deviation management in the pharma industry

Controlling deviations in the process is a huge regulatory focus in the pharma space because of the complexity of managing Quality Control in manufactured products. As QA pioneer Harold F. Dodge famously said, “You cannot inspect quality into a product’ - and that's particularly true in pharma production where millions of pills are rolling off production lines every day.

Collecting accurate information about deviations in SOPs and triggering appropriate remedial action when you find them is the way you prevent dangerous products from emerging from factories  in the first place.  It’s how you prove to auditors that you have the procedures in place to control this risk.

As the FDA put it:

“An effective QMS (“Quality Management Oversight system”) establishes and maintains a state of control throughout the product lifecycle via systems that vigilantly oversee process performance and product quality.”

Source FDA; Establishing a Culture of Quality

For these reasons, deviation management underpins the standards and regulations that govern the design and production of safe and efficacious drugs around the world.

International regulatory framework for deviation management

International guidelines and regulations define the requirements for deviation management in the pharma and biosciences sector.

Key among these are:

1. International conference on harmonisation (ICH) guidelines

ICH Q10 (Pharmaceutical Quality System) outlines a model for an effective quality management system, including handling deviations. It emphasises the importance of identifying, documenting, evaluating, and investigating deviations while implementing corrective and preventive actions (CAPA).

2. Good pharmacovigilance practices (GVP)

International requirements for pharmacovigilance, such as those in the EMA regulations, require continuous monitoring and documentation of deviation management processes. The regulation states that companies must keep:

“Records to demonstrate that deficiencies and deviations from the established quality system are monitored, that corrective and preventive actions have been taken, that solutions have been applied to deviations or deficiencies and that the effectiveness of the actions taken has been verified”.

3. Good Manufacturing Practice (GMP) regulations

GMP guidelines, as enforced by regulatory bodies like the U.S. Food and Drug Administration (FDA), the European Medicines Agency (EMA), and others, require the establishment of procedures for dealing with deviations. These regulations also demand a systematic approach to recording, investigating, and correcting deviations to prevent recurrence. 

4. Good Clinical Practice (GCP) regulations

GCP guidelines govern the planning and execution of clinical trials. The EMA regulations define the need to systematically identify, classify, investigate and resolve deviations as part of the Quality Management System. It should be noted that poorly managed clinical trial data is a major cause of pharmaceutical project failure, so quality assurance has become a regulatory priority.

5. ISO 9001

ISO 9001, a standard for quality management system, includes requirements that can be applied to deviation management. It stresses the need for continuous improvement and the importance of documenting deviations and non-conformances to enhance product quality.

How to classify deviation severity within your QMS

Different types of deviation and the risk they pose to your customers and business must trigger different responses within your company.

For example, Regulation (EU) No 1252/2014 of the GMP requires you to conduct risk-based evaluations of detected deviations to ensure they are handled appropriately.  The GCP guidelines require you to categorise deviations as Critical, Major or Minor and supply distinct definitions for each.

Most businesses adopt this framework to categorise deviations in their pharma development and manufacturing process, ensuring they are always addressed with the right level of detail and urgency.


"Drop everything and fix this immediately"

A critical deviation is a severe non-conformance from established procedures or standards that poses urgent risks to product quality, patient safety, or compliance with regulatory requirements. Examples might include:

  • Contamination of raw materials.
  • Failure of clean room protocols.
  • Deviations from a critical process parameter (CPP).
  • A failure of equipment leading to delay or wasted materials.
  • Detection of an Out of Specification (OOS) product requiring investigation and correction.


"Make this a high priority"

A major deviation indicates a significant departure from required procedures or standards that impacts a product’s quality, safety, or efficacy but may not directly impact patients. Examples might include:


"Fix when you can"

A minor deviation involves divergences from established procedures or standards that have a noticeable but limited impact on product quality or compliance capabilities.

  • Errors in documentation that do not compromise data integrity.
  • Variations in product appearance that do not affect efficacy or safety.

Incident (or opportunity for improvement)

"You might like to think about..."

An OFI is an unplanned or uncontrolled event that does not directly affect the manufacturing process parameters or product quality. However, its occurrence may merit a change in process to secure future efficiencies and further minimise risk.

Every business needs a process for identifying, categorising and acting on different levels of deviation events according to the risk they pose to end users, your operations and your compliance status.  

You can download Cognidox's suggested severity definitions to help develop a system that meets regulatory requirements and works for you.

Powering deviation management process with an eQMS

If you invest in an electronic quality management system (eQMS) developed for pharmaceutical companies, it may come pre-loaded with templates and workflows for deviation management.  These will help you ensure quality events automatically trigger a consistent and robust response. 

Typically, they look to animate process in line with GxP requirements for deviation management.



  • Immediate action: Workers should be trained in an initiation process that includes recording details of a deviation, assessing the potential risk involved, and taking any necessary mitigating actions. An eQMS can automate processes to ensure protocol is understood and applied.
  • Classification: Events are classified based on severity—incident, minor, major, or critical—to prioritise resolution efforts effectively.


  • Deviation report (aka non-conformance report): The right workers should have access to a digital NCR form that records the deviation's details, including nature, location, and potential impact.
  • Responsibility: The department where the deviation occurred is responsible for filing the Deviation Report promptly to avoid delays in addressing the issue.


  • Root-cause analysis: Conducted especially for major or critical deviations to identify the underlying cause and assess the need for Corrective and Preventive Action (CAPA).
  • CAPA initiation: Based on the investigation's findings, CAPAs may be initiated to prevent recurrence and ensure continuous improvement.

Read our guide to Corrective and Preventive Actions for life science companies


  • Audit trails: Your system should ensure that every step of the process is fully documented, tracking all actions and changes, and providing full transparency and accountability around your decision-making for future inspections.
  • Notifications and reminders: Your workflows should ensure key stakeholders are reminded to complete, approve and follow up documentation.  Digital automation should plug process gaps and mitigate the risk of process failure.

Implementation of corrective actions

  • Corrective actions: Implemented to prevent future occurrences of the deviation.
  • Effectiveness checks: Conducted to ensure the corrective actions have the desired impact, with timely and efficient action critical for continuous improvement and compliance.

Implementing preventive actions

Your system should also have a mechanism in place to:

  • Regularly assess operations for the risk of deviations.
  • Ensure workers can raise concerns or issues about the potential for future quality issues.

In this way, you can create a virtuous circle of analysis and optimisation to ensure your business builds a long-term resistance to expensive and potentially dangerous process failures.

A word of warning

Pharma development is complex, and the potential for process deviations that have serious business consequences is vast.

However, implementing a deviation management process can also be fraught with risk. Without a digitised and automated process for reporting, you can end up misreporting incidents that require investigation and correction. But too many digital controls, imposed via an overly rigid eQMS can result in unnecessary investigations that slow down your process and strangle innovation.

Many eQMS will come with preloaded deviation management and CAPA SOPs that you cannot effectively change or customise to fit the way you work. Introducing these systems at a moment when you are scaling operations can lead to ‘over processing’ and a world of bureaucracy that does not enhance your compliance capabilities.

While a robust system for deviation management is essential as you digitise operations, you should look for the digital tools and templates that allow you to customise your approach as much as possible.

Free non-conformance report template

Joe Byrne

Written by Joe Byrne

Joe Byrne is the CEO of Cognidox. With a career spanning medical device start-ups and fortune 500 companies, Joe has over 25 years of experience in the medical device and high-tech product development industries. With extensive experience in scaling businesses, process improvement, quality, medical devices and product development, Joe is a regular contributor to the Cognidox DMS Insights blog where he shares expertise on scaling and streamlining the entire product development cycle, empowering enterprises to achieve governance, compliance, and rigour.