Non-Conformances...Deviations, OOS, NCMR's, Exceptions, Excursions, etc

I’ve gone back between Biotech, Pharma and Medical Devices, and have seen different systems for all of these and was just wondering if there is any kind of consensus on handling them or even on the definitions. Also any consensus for their use in different regulated environments. For example psuedo (off the top of my head) definitions:

Non-conformance - often defined as material that does not meet specification, but also includes material which may have been manufactured during a deviation, or excursion. In medical device, non-conformance often also covers processes. (So it may be an NCR, or an NCMR).

Deviation - any altering of established procedure. Must be investigated and evaluated as to it’s product impact and therefore may lead to a Non-Conformance (may be reportable to agencies, FDA and CA health have specific reporting requirements, and WHO has a guidance to deviations).

Exception - Deviation to a protocol and not an established procedure. Specifically to validation/qualification activities (also clinical activities). Not centrally maintained, managed within each validation/qualification project.

Excursion - An excursion to established operational or environmental ranges (typically tracked as a deviation, but may be part of an excursion system (i.e., environmental monitoring excursion response EMER).

Out of Spec (OOS) or LIR (Lab Investigation Report), system to investigate failed results and confirm failure prior to escalating to a Non-conformance.

For smaller organizations I’ve seen this all lumped into an NCR process…anyway, just wondering if these definitions generally jive with others, or if others, have specific requirements around how they handle some of these systems. It seems like there are few classes or instructions for these systems and how they interrelate, yet I can find a ton on CAPA’s which are much more straight forward to me.

I don’t think the definitions change with industry type (biotech/pharma/medical device). Instead, these terms are used differently at different companies, even within the same industry.

Honestly if you ask 10 people for definitions on this, you will likely get 11 different answers. Basically it is up to each company to come up with a system and a definition for when they “get something they didn’t want”.

In my experience with audits, the auditors don’t really care what you call them. They just get the idea that something wasn’t as expected.

Also, you are right that there are varying levels of not getting what you expect. These levels are often called differently- what is important is that the company has specified a path of assessing and elevating issues, so that assessment and actions and tracking are in line with potential impact or how bad was bad.

1 Like