Deviation / Nonconformance (NC) – Controlling Departures from Approved Process & Specification

This topic is part of the SG Systems Global regulatory glossary series.

Updated October 2025 • GMP / ISO • QMS, MES, WMS

A Deviation (or Nonconformance, NC) is a documented departure from an approved procedure, specification, drawing, or process parameter that occurs during receipt, manufacturing, testing, storage, labeling, or distribution. In regulated manufacturing, deviations and NCs are inevitable; what matters is how quickly they are detected, contained, investigated, and either justified and accepted under control or corrected and prevented in the future. Mature organizations run deviations as a disciplined, time-bound workflow integrated with batch/lot records, equipment status, labeling control, and release decisions. The aim is not paperwork—it is risk reduction and knowledge capture that strengthens the process over time.

“A deviation record is not a confession; it is an instrument for learning. It must reconstruct the facts, quantify the risk, and drive a proportionate, verifiable response.”

1) What It Is

Deviation is the umbrella term often used in pharmaceuticals and food for any unplanned departure (e.g., temperature excursion, step skipped, tolerance missed). Nonconformance is widely used in devices and ISO environments to mean a product or process that fails to meet a requirement. Many systems treat the terms synonymously and channel both through the same QMS workflow with differences only in classification and disposition authority. Deviations/NCs interact with: BMR/eBMR or DHR (traceability to the affected unit/lot), Component Release (hold/quarantine), Barcode Validation and Dual Verification (prevention), Change Control (remediation), and CAPA (systemic fixes).

2) Taxonomy, Severity & Risk

Effective programs classify deviations/NCs by type (process, material, equipment, labeling, data integrity, supplier), detect stage (incoming, in-process, final, post-distribution), and severity (critical, major, minor) tied to potential impact on safety, efficacy, identity, strength, purity, usability, or compliance. For food/supplements, add allergen and cross-contamination flags; for devices, include UDI/traceability and design linkages. Severity determines containment rigor and the level of approval required for disposition and release.

3) Governance & Lifecycle (Detect → Contain → Investigate → Decide → Learn)

Detect & contain. Deviation capture should be embedded in execution: operators open a deviation from within the eBMR/eDHR step when an interlock trips or a reading is out-of-spec; WMS scans that fail barcode checks or violate Directed Picking rules raise events automatically; environmental or equipment states (e.g., past due calibration/cleaning) block use and create records. Immediate actions include stopping the line (if warranted), segregating affected lots via Bin / Location Management, and issuing holds.

Investigate & root cause. Investigations apply structured methods (5-Why, Ishikawa, fault tree). Data sources include audit trails (GxP), equipment maintenance history, CPV or SPC records, supplier change notifications, and cleaning validation evidence. Root cause statements are specific and testable; “human error” is rejected unless you can show the specific human-factor mechanism and why defenses failed.

Risk assessment & impact. Use pre-defined templates (FMEA-style) to rate severity, occurrence, and detectability. Determine impacted units/lots using genealogy (Batch Genealogy) and distribution history. For devices, check DHR/UDI; for food/supplements, check allergen segregation rules; for pharma, evaluate stability and potency risks.

Disposition & release decision. Options include use-as-is with justification, rework/reprocess under controlled instructions, scrap/reject, or return to supplier. QA (and the QP where applicable) approves disposition; labeling/UDI, CoA (CoA), and release records are updated. If the deviation reveals a systemic gap, open a linked CAPA and consider Change Control to procedures, recipes, or label masters.

Effectiveness & learning. Track recurrence and trend data by product, line, shift, and cause. Fold outcomes into APR/PQR-style reviews and management review. Where changes were implemented, verify their effectiveness at a defined horizon (e.g., 90 or 180 days) and close the loop.

4) Record Requirements & Data Integrity

Deviation/NC records must meet Data Integrity and ALCOA+ criteria: attributable to specific users/instruments, contemporaneous (no backdating), complete with raw data and attachments, accurate (no uncontrolled edits), enduring (retained per predicate rules), and available on demand. Part 11/Annex 11 controls apply to electronic records: unique logins, e-signatures with meaning-of-signature, secure, time-stamped audit trails, and validated systems (CSV). Records must link to the impacted BMR/eBMR or DHR, and to any updated CoA or labeling files via controlled Approval Workflow.

5) Common Failure Modes & How to Avoid Them

• Late or missing initiation. Deviations discovered after-the-fact or never recorded. Fix: embed triggers in MES/WMS (interlock failures open records automatically); coach culture: “record first, explain next.”
• Root cause shallow or generic. “Operator error” without causal analysis. Fix: require evidence for human-factor claims; use checklists for methodical root cause development.
• Inadequate risk/impact analysis. Impacted lots/customers unknown. Fix: enforce genealogy capture (Batch Genealogy), Dynamic Lot Allocation audit trails, and distribution records.
• Uncontrolled rework. Rework performed without approved instructions. Fix: route rework through QMS with step-gated eBMR/eDHR and Dual Verification.
• Disposition without justification. “Use-as-is” with no science. Fix: require data-backed rationales (test results, modeling, stability, clinical risk) and QA approval hierarchy.
• CAPA opened, not closed. Actions drift; recurrence persists. Fix: define measurable outcomes, owners, and due dates; perform effectiveness checks; escalate in management review.
• Data integrity gaps. Backdated entries, editable fields without audit trail. Fix: Part 11 controls, locked fields after sign-off, and periodic audit-trail review.

6) Metrics That Matter

• Deviation rate per 1,000 lots/units, by product/line/shift.
• Cycle time from initiation to disposition, and to final close with effectiveness check (median and 90th percentile).
• Right-first-time investigations (no rework of the investigation record at QA review).
• Recurrence index (repeat same-cause deviations within 6–12 months).
• Containment latency (time from event to hold/quarantine through Bin / Location Management).
• CAPA effectiveness (post-implementation trend reduction).
• Label/UDI-related deviations prevented by Barcode Validation and Approval Workflow interlocks (leading indicator).

7) How It Relates to V5

V5 by SG Systems Global operationalizes deviations/NCs across MES, WMS, and QMS. In MES, interlocks on tolerances, Dual Verification, and equipment status open deviation records at the point of failure and attach them to the BMR or DHR. In WMS, Directed Picking and Dynamic Lot Allocation prevent wrong-lot issues; incompatible scans trigger automatic holds in Bin / Location. QMS orchestrates investigation templates, risk assessments, and links to CAPA and Change Control. All records are Part 11/Annex 11 aligned with audit trails. For release, V5 presents the deviation context to QA in the same screen as test results and genealogy, reducing decision latency and error. For analytics, V5 provides heat maps by step/equipment/shift and pushes trend summaries into APR/PQR-style product reviews.

8) FAQ

Q1. Deviation vs Nonconformance—are they different?
The terms are often used interchangeably. In many systems, “deviation” emphasizes an unplanned departure from process; “nonconformance” emphasizes a failure to meet a requirement. Both flow through the same QMS controls for investigation, risk, and disposition.

Q2. When is a CAPA required?
When the root cause indicates a systemic issue (recurrence, cross-product risk, control weakness) or the severity justifies long-term action. Single-use, well-contained issues with demonstrated prevention may not require CAPA—document the rationale.

Q3. Can we release product with an open deviation?
Only if risk is assessed and justified, required testing shows conformity, and QA authorizes conditional release. For high-risk categories (e.g., labeling/UDI, allergen), conservative practice is to hold until fully resolved.

Q4. How detailed must the investigation be?
Proportional to risk. Minor, low-impact issues can use streamlined logic; critical deviations require formal root cause analysis, hypothesis testing, and clear evidence linking cause to effect and verifying effectiveness of actions.

Q5. How long should deviation records be kept?
Follow predicate rules and your Data Retention & Archival policy—typically aligned to the associated batch/device record retention period with ensured readability and metadata preservation.