3 minute read
ISO 22716
By Robert Low, Lead Management System Specialist
Sections 13 and 15 of ISO 22716 are each a single short paragraph — among the briefest in the entire standard. Their brevity does not reflect unimportance; it reflects that the underlying concept in each case is simple to state, even though applying it consistently in practice takes discipline. Because both sections are so short and closely related, this post covers them together.
This post is part of a series working through ISO 22716 section by section. The series summary with links to every section is available at the end.
Deviations from specified requirements need authorising with sufficient data to support the decision, and corrective action needs taking to prevent the deviation recurring. That is the entire clause.
A deviation, in GMP terms, is a temporary, often unplanned departure from what a procedure or specification says should happen — a piece of equipment running slightly outside its normal parameter range for one batch, for example, where the decision is made to proceed anyway based on supporting data showing product quality is not compromised. The key word is temporary. A deviation that becomes permanent is not a deviation anymore — it is a change that has not gone through the proper change control process described in Section 15.
Changes that could affect product quality need approving and performing by authorised personnel, based on sufficient data. Again, the entire clause in one sentence.
Change control covers planned, permanent modifications — a new supplier for a raw material, an updated piece of equipment, a revised formulation. Unlike a deviation, a change is intended to be the new normal going forward, which is precisely why it demands a more deliberate approval process than a one-off temporary deviation might.
The practical difference between these two short sections is intent and duration. A deviation is “we are doing something different this one time, with data showing it is safe to do so.” A change is “we are doing something different from now on, with data showing it is safe to do so.” Confusing the two — treating a series of repeated deviations as though each one is independent, rather than recognising that the underlying process has effectively changed and needs formal change control — is one of the more subtle but consistent audit findings in this area.
The most common gap is exactly that confusion: the same deviation being authorised repeatedly for the same parameter, batch after batch, without anyone stepping back to ask whether the specification itself needs formally changing. If a deviation has been approved more than a handful of times for the same reason, that is a strong signal the underlying process or specification needs a genuine change control review, not another one-off deviation approval.
The second common gap is either process happening without genuinely sufficient supporting data — an approval signature exists, but the data behind the decision is thin or missing entirely.
Both deviations and changes need linking to the broader document control system, since a change that affects a specification or procedure requires that document to be formally updated, version-controlled, and redistributed — not just approved verbally and left undocumented. Recurring deviations are also a useful early warning signal worth tracking through nonconformance trending, even where each individual instance was technically approved.
This post is part of the Cornerstone ISO 22716 series. See the full series summary with links to all 16 sections.