The pharmaceutical industry and the medical device industry have unique ways of defining terms like deviation and nonconformance. Often, this leads to confusion about how events should be classified and managed.

This article explains the difference between a deviation and a nonconformance, and why your own organization’s definition is ultimately the most important. We also discuss the role of an enterprise quality management system (EQMS) in managing events and incidents.

Deviation vs. nonconformance in pharma and biotech

In the pharmaceutical industry, a deviation refers to any departure from an approved instruction, procedure, established standard, or specification. A nonconformance, on the other hand, is defined as an output that doesn’t meet specifications or requirements.

For example, a documented SOP states that lab personnel must shower and change clothes every time they move from Lab A to Lab B. Anytime someone doesn’t follow the procedure, that’s considered a deviation.

Nonconformances typically arise in the context of sampling, which is necessary to ensure product quality and safety. When a sampling plan determines that a batch of material doesn’t meet proper measurement standards, that’s considered a nonconformance. Identified nonconformances typically result in lost product, because pharmaceuticals can’t be reworked and any testing would be destructive.

Deviation vs. nonconformance in medical device and diagnostics

It’s far more common to hear the term nonconformance rather than deviation in the medical device and diagnostics industry. Like pharma, nonconformance also refers to any product or output that doesn’t meet specifications.

Deviations typically refer to planned or unplanned deviances where manufacturers intentionally run a process outside of standard documented procedure on a temporary basis.

Examples include:
• A planned deviation where a change control request is approved for a team to increase belt speed for 12 hours as a controlled experiment
• An unplanned deviation that could occur if the team forgets to return the belt speed to its original setting until the following shift
• A planned deviation where emergency approval is granted to run a new raw material on spec for two days due to a material shortage
• An unplanned deviation where equipment breaks down or is out of calibration

In any of the above situations, it makes sense to put the product on hold and quarantine it for further testing. If the subsequent product testing passes inspection, you can then classify the event as a deviation in the quality record, rather than a nonconformance. A material review board (MRB) process may be used to identify any risks and determine the final product disposition.

Why does deviation vs. nonconformance matter?

Some organizations classify every issue as a nonconformance. The problem with this approach is that it becomes a penalty to the plant as well as a negative cost. Where possible, classifying events as deviations until lab inspection results are available can potentially mean salvaging the product when possible and preventing impacts to inventory and customers.

Key differences

Both terms require investigation, corrective and preventive actions (CAPA), and documentation to ensure compliance with good manufacturing practices (GMP) and regulatory requirements.

How incidents and events fit in

Incidents and events are often used as catch-all terms in many industries, and may refer to:
• Deviations
• Nonconformances
• Defects
• Product failures
• Complaints
• Exceptions

Ultimately, what matters is how your organization defines deviation vs. nonconformance, as well as other terminology. How you consistently control, manage, and track the data and trends is even more important as part of your continuous quality journey to reduce variation and drive improvement.

Tying it all together with issue management

Whether we’re referring to deviations, nonconformances, or even incidents in a general sense, issue management provides a framework for minimizing their effect on quality and patient safety. An enterprise quality management system is, in essence, an incident management system that enables effective investigation and documentation of quality issues. An EQMS enables controlled issue management across the supply chain to minimize the effects on quality and patient safety.

Within an EQMS, issue-management tools to look for include:
• Corrective and preventive action for managing nonconformance and noncompliance with written procedures
• Complaint handling to document and investigate reported issues, identify the root cause, and initiate a corrective action to prevent a recurrence
• Change control for documenting planned deviations and applying a standardized process to their review and approval
• Compliance management for improving quality event management to ensure compliance with regulatory requirements and standards
• Risk management establishes a framework for risk analysis, evaluation, control, and management, and specifies a procedure for review and monitoring during production and post-production

The EQMS perspective

Compared with paper processes, an automated EQMS provides significant advantages in terms of efficiency as well as effectiveness. Relying on email or routing paper documents has become increasingly impractical amid the transition to remote work, creating multiple opportunities for information to get lost, which creates a delayed response.

An integrated solution, on the other hand, ties every step of your process together, from the moment an event—whether deviation, nonconformance, or other—is detected (or planned) through investigation, correction, and follow-up. A flexible, integrated EQMS enables you to configure the software to align with your processes. An ineffective EQMS is rigid and requires significant coding (and cost) to change, forcing companies to adapt processes to meet software limitations. Process improvements can be continually updated in a dynamic environment.

Hopefully by now you can answer our original question of whether the event that led to millions of wasted vaccine doses was a nonconformance or a deviation. From an FDA/pharmaceutical perspective, it was a clear deviation from written procedures. Thus, you won’t see the word “nonconformance” anywhere in the FDA’s 483 inspection observation.

Conclusion

Although there’s a distinct lack of harmonization of deviation vs. nonconformance among agencies such as the FDA and ISO, standardizing how you manage events is what’s critically important. An integrated EQMS provides the tools to do just that so you can respond effectively and efficiently to any quality issue. The key is creating a nomenclature that works for your business with clear definitions that are used enterprisewide.

Published March 24, 2025, by AssurX.