Before we get into how and when to use an SOP Deviation, let’s revisit what we mean by SOP Deviation. Standard Operating Procedures (SOP) are, of course, a set of defined steps in a procedure. The purpose of the SOP is to outline how a process is completed and who is completing it. Since an SOP qualifies as an audited process, it is extremely important to follow the SOP exactly as described. Going outside the defined SOP, can lead to an audit finding and potentially create a material issue for an organization. BUT, if going outside an SOP is defined by a different SOP, then you are still within your compliance framework. When you define how to have an exception to your SOPs, then this becomes your SOP Deviation process.
The most common and universal SOP exception process is to have a dedicated SOP Deviation process. Similar to your SOP on SOPs, an SOP Deviation SOP is a supporting SOP that is not related to the operations of the organization, but the Governance and Compliance. The SOP Deviation SOP needs to be designed in such a way that it can be applied to virtually any other SOP in the organization at the time of an exception. Your SOP Deviation needs to be able to have several universal components in it:
Since an SOP Deviation can be used for any other SOP, the initial trigger for the Deviation needs to be defined in your SOP Deviation SOP. Otherwise, you would need to build the Deviation trigger into every SOP! Typical trigger points range from light options like a notification to Quality Assurance or Compliance to heavier options such as a dedicated Deviation Form.
Since SOP Deviations are a structured process, how a deviation is recorded should be standardized. The is typically competed through an SOP Deviation form. Some of the sections that should be included in your SOP Deviation Form, include:
When a deviation occurs, it is critical that key personnel are aware of the exception and the appropriate measures have been taken in response. Since it is impossible to predict every deviation situation, it is important that subject matter experts (SMEs) are involved in the process. Your SMEs need to include the process owner to effectively document the exception and the impact of it, plus Quality Assurance, Compliance or similar function. Depending on the severity of the exception, additional leadership may need to be formally included.
An SOP Deviation cannot be used to simply skip paperwork or a standard process. Depending on the reason for the Deviation, all original documentation and controls may still need to be completed after the fact. In addition to the Deviation Form, all communication around the deviation, retro-actively prepared documentation and other related documents from the Deviation should be attached to the Deviation Form to create the overall Deviation Process. In the event of an audit, each Deviation Package needs to be able to stand on it’s on and prove that the final outcome was sufficient for the situation.
During an Audit, it is very likely that a list of Deviations will be provided. The number of Deviations can determine the amount of scrutiny applied to an organization during the Audit. Therefore, trying to keep the number of Deviations to a minimum is highly recommended. In addition to the number of Deviations, the type of Deviation can determine how much time Auditors spend in this area. Since having SOPs is all about having a control environment, completing a planned deviation is much less of an issue than unplanned deviations.
A planned deviation is something that is identified and even approved BEFORE it happens. One of the most common reasons for a planned deviation is time. Controlled processes can take additional time, because it always takes longer to do things right. There are a number of instances where some objective needs to be met, but completing the defined SOP will lead to failure due to time constraints. In a planned deviation, it is important to include a proper risk assessment and impact to the overall result by completing the deviation. As long as the overall result is not compromised, an SOP Deviation can be a very powerful tool if time is an issue.
Unplanned deviations should be avoided at all costs. An abundance of unplanned Deviations can call into question your entire compliance framework. If an unplanned deviation has occurred, then something broke and much more research is needed. Depending on the severity of the unplanned deviation, a Corrective Action and Preventative Action (CAPA) may need to be completed. CAPA is a separate process that is designed to understand what caused the deviation, what needs to be done to fix it in the short-term and how to prevent it going forward. Some unplanned deviations may not be severe in nature (eg. Two signatures happened in reverse order) and can still fall under your SOP Deviation SOP. During the review and approval process, subject matter experts will decide if an unplanned Deviation needs to go through the CAPA process.
Some processes are high volume in nature and a level of deviation is not only acceptable, but expected in the process. In these instances, the exception is the same every time and individual occurrence does not have a material impact on the overall compliance framework. In these types of situations, following the SOP Deviation SOP may become suffocating to the overall process, but there is still a need to note the individual deviations. An example is to include a dedicated Exception Form in your process.
For example; before an entry is put into a system, a second manual signature needs to be obtained. Due to the high volume of entry, there are 2 – 3 deviations a week that fail to get the signature because of time constraints. In this case a quick Entry Deviation form is filled out and attached to the original signature sheet as an exception.
As long as this exception situation and process is included in the source SOP, it does not fall under the global SOP Deviation SOP. You have not actually deviated from the SOP since the deviation is detailed in the SOP. It is important to be cautious with built-in deviations. A built-in deviation should always be immaterial, expected and addressed in the core SOP.
Monitoring the number of Deviations that occur is important as it provides insight into the overall compliance framework. A number of planned deviations in the same SOP usually indicates a need to optimize that SOP. A number of unplanned deviations can indicate a general lack of control in the compliance framework or perhaps training issues. Lastly, an excessive number of built-in deviations may indicate that the deviation process is too easy and encourages exceptions. This can be addressed by expanding the exception process to be more difficult than following the standard process.
Regardless of the type of Deviation (Planned, Unplanned, Built-in), monitoring the frequency of Deviations is critical to assess the health of the overall compliance framework.
As with all SOPs, documenting the SOP is not enough. Having an effective notification and training program in place is key to compliance by employees. It is natural to focus training on how to complete a process. In life and death situations, there is significant training on what to do when something goes wrong. This mentality needs to be universal though. In the case of the built-in deviation, the deviation process is typically included in the base SOP training. Global SOP Deviations can be trickier for employees to grasp and should be included in multiple training sessions. Beyond the obvious training on the SOP Deviation SOP, all other SOP training should reference the SOP Deviation SOP and ideally provide examples related to the process. It is important for employees to understand that exceptions and mistakes can only become an unrecoverable situation if they go unnoticed. It is important for everyone to know where to find the escape hatch if they need it.
The goal of this article was to outline the different types of SOP Deviations, when to use them and how they can be a valuable tool in your overall compliance framework. When used effectively, SOP Deviations will help preserve your compliance framework and all operations to continue without shutting down the process.
