F.07 vidal pp 31-35: F.

13 Loof pp 9-11 23/6/08 18:01 Page 31

European Journal of Parenteral & Pharmaceutical Sciences 2008; 13(3): 31-35

© 2008 Pharmaceutical and Healthcare Sciences Society

Deviation management in the

context of ICH Q9/Q10
R Canadell Heredia, E Garcia Vidal, S Herrero Sas, J Llaja Villena, L Noguera Salvans, A Piñas
Llagostera, D Puñal Peces, E Tardío Pérez, A Tébar Pérez
ICH Q9 Quality Risk Management working party of the Quality Assurance Committee of the Catalan Section of the
Spanish Association of Industrial Pharmacists (AEFI)

The Spanish Association of Industrial Pharmacists (AEFI) monograph ICH Q9 Quality Risk
Management not only describes the general principles of risk management set out in that guideline,
but also takes an approach that is highly practical for the pharmaceutical industry. It therefore
contains examples of how to use various risk analysis tools, including definitions, usage, objectives,
operation, and advantages and disadvantages in each case. This article forms part of one of the
examples of the use of failure mode and effects analysis (FMEA) risk analysis tools.

En la monografía de AEFI Gestión de los riesgos de calidad ICH Q9 además de recoger los principios
generales de Gestión de Riesgos desarrollados en esta Guideline, se ha realizado una aproximación
eminentemente práctica para la industria farmacéutica. Por ello se presentan ejemplos de aplicación
de las diferentes herramientas de análisis de riesgos incluyendo su definición, aplicación, objetivos,
operativa y ventajas e inconvenientes en cada uso. Este artículo forma parte de uno de los ejemplos
de aplicación de las herramientas de análisis de riesgos FMEA (failure mode and effects analysis).

Key words: ICH Q9/Q10, risk management, critical and non-critical deviations, flowchart, failure mode
and effects analysis

Introduction: deviation management • Difficulties in quantifying the effectiveness of

issues corrective/preventive actions taken, and in communicating
them to the rest of the organisation.
In general terms, a deviation is non-compliance with an
established standard. The EU Guide to Good Manufacturing
Practice (GMP) states that any deviation from the approved Using risk management to handle
requirements and procedures must be documented and deviations
explained. ICH Q9 (now incorporated in the EU GMP Guide as Annex
The concept of deviation is so broad that deviation 20) suggests applying the risk management process to both
management as applied to the pharmaceutical industry productive processes and procedures involved in the quality
presents a few problems, such as: management system. Deviation management is one of the
latter, and can be optimised by using risk management tools
• A tendency towards deviation overload, because “everything in two main ways: prioritisation and decision-making.
is reported”. This can result in poor investigation of the root
cause, and poor analysis of the effectiveness of the corrective • Prioritisation: The tool is used to classify undesirable
and preventive action (CAPA) implemented. events according to pre-established criteria. The aim is to
• Thorough handling of all deviations can exhaust the tailor the handling of the deviation, depending on the risk it
available resources and mean that a really important presents to product quality. This is a preliminary
problem is not dealt with properly. From a business point “screening” phase that allows the subsequent treatment of
of view, it is best to assign resources according to the irrelevant events to be simplified.
importance of each incident/deviation. • Decision-making: The tool is used to examine the impact of
• Evaluating the criticality of each individual deviation also the deviation on product quality, and to justify ensuing
uses up valuable resources. If critical points in the process preventive and corrective actions. This is really a risk analysis
and critical product quality attributes have not been of the process in which the deviation arose. In this way, events
defined in advance, each new deviation that arises means a are not assessed in isolation, but their severity and probability
new investigation. are already defined in the history. New entries update the
Corresponding author: E. Garcia Vidal. Email: [email protected] process risk matrix, facilitating risk review.

31
F.07 vidal pp 31-35: F.13 Loof pp 9-11 23/6/08 18:01 Page 32

32 R Canadell Heredia, E Garcia Vidal, S Herrero Sas et al.

Using risk management to deal with deviations provides a

consistent framework for decision-making based on Based on the category into which the event has been
Treatment phase

documentary and scientific records, while also enabling placed, actions are taken as follows:
decisions to be confidently upheld before the regulatory bodies.
Two examples are given below for using risk • Incident: If the event is classed as an “Incident” it is
management tools to classify and handle deviations: closed, as the actions required to resolve it are
described.
• Flowchart for deciding the criticality of deviations; • Non-critical deviation: The process deviation database
• Failure mode and effects analysis (FMEA), introducing is consulted to see how many times it has happened. If
the probability of a problem not being detected. the specified maximum number of repeats allowed has
not been exceeded, the event stays in the “Non-critical
Of the many tools described in ICH Q9, FMEA is one that deviation” category. The appropriate corrective
is adapted and used in a related sector, ie the medical measures are then applied and the deviation is closed as
devices industry. an isolated occurrence. This event is then entered in the
In the examples, it is assumed that the process in which process deviation database, to feed into and update the
the deviation arose has undergone appropriate risk general FMEA for the process.
analysis, so the following are known: • Critical deviation: The event is placed in this category:
– when the answers given in the decision tree point to
• Failure (deviation) history with associated severity a “Critical deviation”;
assessment criteria; – if it was first classified as “Non-critical”, but has
• Probability data for the most commonly occurring exceeded the maximum number of repeats allowed.
failures (deviations);
• Critical points and/or stages in the process; When a critical deviation occurs, a full assessment of its
• A definition of the product’s critical quality attributes. impact on product quality must be carried out, using the
established tool for general process risk analysis.
The same methodology is employed in both examples: It is worth noting that other tools, eg fault tree analysis,
can be used to determine the root cause of any type of
• Analysis phase (differs according to the tool used in deviation. Once the cause is known, the appropriate
each case); corrective and preventive measures are put in place and
• Classification phase; the risk levels are recalculated. Lastly, the final report is
• Treatment phase. written, and the event is closed.
This information will be used to update and feed back
into general process risk analysis at the time of risk
Using a flowchart to manage deviations
review.
In order to classify and define the handling of events Figure 1 illustrates the event-management scheme
(potential deviations), a system such as the following can described above.
be set up.
Example of using a flowchart to manage
The aim of this phase is to place the event that has
deviations
Analysis phase

occurred into one of the pre-established categories.

This is done using a decision tree based on a set of Contamination of a work surface in the dispensing room
Description of event

questions with yes/no answers, directly defining the for medicinal products for injection. Action limits are
category of the event: exceeded.

Q1: Are the corrective actions to be taken described in a

procedure? • Class B dispensing room (ISO 7);
Key features

Q2: Does the deviation affect critical quality attributes? • The product being dispensed undergoes terminal
Q3: Does the deviation affect critical process parameters sterilisation employing an overkill cycle (with no
or stages? incidents);
Q4: Does the deviation affect the calibration of • The bioburden of the product is controlled on a batch-
instruments that measure critical process parameters by-batch basis;
or quality attributes? • The room is monitored weekly;
• Other work surfaces in the same room are within
control limits;
Having followed the strategy, the event is classified into • The micro-organism has been identified as
Classification phase

one of the following categories: Staphylococcus aureus;

• This is the first time it has been detected.
• Incident;
• Non-critical deviation; Once a full description of the event is available, it is
• Critical deviation. analysed.
F.07 vidal pp 31-35: F.13 Loof pp 9-11 23/6/08 18:01 Page 33

DEVIATION MANAGEMENT IN THE CONTEXT OF ICH Q9/Q10 33

DESCRIPTION OF EVENT

SI Q1: Are the corrective actions to be taken

described in a procedure?
NO
Q2: Does the deviation affect critical quality SI
attributes?
ANALYSIS

NO
Q3: Does the deviation affect critical SI
process parameters or stages?
NO
Q4: Does the deviation affect the calibration
SI
of instruments that measure critical process
parameters or quality attributes?
NO
CLASSIFICATION

NON-CRITICAL CRITICAL
INCIDENT
DEVIATION DEVIATION

General process FMEA

Check deviation rate (n) risk assessment
in deviation database n>x
n<x
Determine root cause
Apply corrective action
then close deviation as
an isolated event
Fault tree analysis
TREATMENT

Enter in deviation General process FMEA

database risk reduction

Final report

New entry in general

CLOSE EVENT
process FMEA

Figure 1. Flowchart for management of deviations.

The answers given in the above decision tree, together

with the fact that this is the first time such contamination
Analysis and classification phase

Q1: Are the corrective actions to be taken described in a has been detected, mean that the event is classified as a
procedure? non-critical deviation.
No, the actions are not described in a procedure.
Q2: Does the deviation affect critical quality attributes?
Contamination of a surface is not regarded as a As this is a non-critical deviation and the maximum
Treatment phase

critical product attribute. number of repeats allowed (n) has not been exceeded, it
Q3: Does the deviation affect critical process parameters would merely require a corrective measure, such as
or stages? subjecting the area to special cleaning. The deviation must
It is not considered to affect a critical stage, because also be entered in the deviation database to be counted.
terminal sterilisation is performed at the end of the
process. Using FMEA to manage deviations
Q4: Does the deviation affect the calibration of
instruments that measure critical process parameters This example suggests using an FMEA-based risk
or quality attributes? analysis tool to classify and handle deviations.
It does not affect calibration.
F.07 vidal pp 31-35: F.13 Loof pp 9-11 23/6/08 18:01 Page 34

34 R Canadell Heredia, E Garcia Vidal, S Herrero Sas et al.

Analysis and classification phase Table 1. Criteria for assessing severity and probability of non-
The severity of the event’s consequences and the
detection of an event

probability of non-detection are assessed to determine the Severity 5 = The deviation affects a critical quality
risk level. Depending on the risk level, events are attribute or parameter
classified as critical deviations, non-critical deviations or
3 = The deviation affects an attribute or
parameter that is not critical to quality
incidents, and the corresponding actions are taken. 1 = The deviation does not affect product quality
The analysis is performed by reference to the but must be documented
assessment scales shown in Table 1. Using these criteria, Probability of 5 = No controls are carried out
the risk matrix shown in Figure 2 is constructed. Events non-detection 3 = Final control on manufactured product only
assessed using the matrix are given a risk level score, 1 = In-process control
which falls into one of three categories:

• Risk level >9 (red zone): Critical deviation. Requires

in-depth investigation, root cause and impact Probability of non-detection
assessment;
• Risk level >3 (orange zone): Non-critical deviation. To 5 3 1
be investigated in proportion to the risk;
• Risk level ≤3 (green zone): Incident. Record and close. 5 25 15 5
3 15 9 3

Severity
Depending on the risk level score obtained, actions are
1 5 3 1
Treatment phase

taken as described above. This phase is exactly the same

as in the previous example (Figure 3).
Critical Non-critical Incident
Example of using FMEA to manage Actions
deviation deviation (risk- (record and

deviations
(in-depth proportional close)
investigation) investigation)

Tablet capping detected during in-process control. Figure 2. Matrix for assessing risk level of an event.
Description of event

measures taken are entered in the process risk matrix for

• The event was detected by an operator during in- regular review of risks and effectiveness.
Key features

process control at the packaging stage (five blister

packs emptied every 30 minutes); Conclusions
• This event is very difficult to detect by either closed-
circuit television or dynamic balancing. This article describes the use of two different risk analysis
tools for managing deviations within the context of
pharmaceutical production.
Based on the above description of the event, the following One of them involves using a decision diagram to
Analysis and classification phase

score is obtained: classify deviations by their impact on product quality,

based on definitions contained in ICH Q7A.
• Severity: 5 (as it may mean a lower dose of active The second option is to apply an FMEA tool that uses
substance); the probability of not detecting the fault to determine the
• Probability of non-detection: 3 (as it is not detected by degree of risk associated with the deviation.
balance or on camera); In both cases, deviations can be prioritised and the way
• Result: This gives a score of 15, so it is classed as a they are dealt with can be tailored to the risk they pose to
critical deviation. quality.
By finally incorporating the information generated into
the general risk analysis for the process, knowledge of the
Having determined that this is a critical deviation, an process can be constantly updated in terms of:
Treatment phase

analysis of the root cause is performed. In this example,

after reviewing the batch record and process risk analysis, • Critical points: redefining the control limits;
it is found to be due to excessive compression force, as • Critical product quality attributes and how they relate
reflected in some high individual hardness values, close to to process parameters;
the upper limit of tolerance. • Process capacity data;
In order to reduce the risk, it is proposed to examine the • The effectiveness of actions within the CAPA system.
influence of compression force and in-process hardness
control results, in order to determine suitable control This approach enables deviations to be handled
limits and thereby prevent tablet capping. effectively, reduces the resources needed by eliminating
The deviation, its assessment, and the risk-mitigation irrelevant incidents, and exploits the information obtained
F.07 vidal pp 31-35: F.13 Loof pp 9-11 23/6/08 18:01 Page 35

DEVIATION MANAGEMENT IN THE CONTEXT OF ICH Q9/Q10 35

EVENT

Establish the severity of the deviation on a scale

of 1-5 (see Table 1)

Establish the probability of not detecting the fault

caused by the deviation on a scale of 1-5 (see
Table 1)

Use the matrix to work out the risk level of the

deviation (see Figure 2)
ANALYSIS

Classify the deviation according to the score

obtained
CLASSIFICATION

NON-CRITICAL CRITICAL
INCIDENT
DEVIATION DEVIATION

General process FMEA

Check deviation rate (n) risk assessment
in deviation database n>x
n<x
Determine root cause
Apply corrective action
then close deviation as
an isolated event
Fault tree analysis
TREATMENT

Enter in deviation General process FMEA

database risk reduction

Final report

New entry in general

CLOSE DEVIATION
process FMEA

Figure 3. Management of deviations using failure mode and effects analysis.

from critical deviations to allow a better understanding of 3. ICH Q10 Pharmaceutical Quality Systems. Step 3, Note for
the process. 4.
Guidance (EMEA/CHMP/ICH/214732/2007), May 2007.
EMEA. Reflection paper on a proposed solution for dealing with
minor deviations from the detail described in the Marketing

References
Authorisation for Human and Veterinary Medicinal products
(including biological products). Doc. Ref. EMEA/INS/GMP/
71188/2006. March 2006.
1. ICH Q9 Quality Risk Management. Step 5, November 2005.
5. AEFI monograph Gestión de los riesgos de calidad ICH Q9.
2. EU Guide to Good Manufacturing Practice, Part II. Basic
requirements for active substances used as starting materials.