Exception Based Review

Exception Based Review (EBR) is a review-by-exception discipline in MES/eBMR/eDHR where validated, risk-based rules verify conformance during execution and surface only exceptions that require human evaluation. Instead of page-turn review of every entry, QA focuses on deviations, out-of-spec/out-of-trend events, missing signatures, genealogy mismatches, equipment status misalignments, or integrity anomalies. The method presumes that master data and recipes encode intended process behavior, that checks are enforced at the point of activity, and that all data, e-signatures, and timestamps are captured contemporaneously with robust audit trails.

EBR does not dilute regulatory obligations for record completeness or product disposition. Rather, it restructures effort: automated conformance for the many, curated escalation for the few. Done correctly, it compresses release lead times, drives Right-First-Time, and yields a cleaner defect signal for CAPA and CPV.

In pharmaceuticals, 21 CFR 211.188 mandates complete batch records and 21 CFR 211.192 mandates review of production records and investigation of discrepancies. EBR retains full record content but uses automated checks to focus QA review on nonconformances and discrepancies, expediting the assessment required by §211.192 without omitting any evidence. In medical devices (eDHR), an analogous review obligation exists within the QMS; computerized system controls must be fit for intended use, with audit trails and validated functions per EU GMP Annex 11 and 21 CFR Part 11 when electronic records/signatures are used.

Key compliance preconditions include: validated rules aligned to approved master instructions, ALCOA+ data integrity, unambiguous audit trails for all automated checks, and controlled security/privilege models for review and approval. These enable faster, defensible release-by-exception while preserving the ability to reconstruct the full record and rationale.

Exception generation relies on consistent data handoffs across ISA‑95 levels. Level 3 (MES) hosts execution context, instructions, limits, sampling plans, and signatures; Level 2 (controls/LIMS interfaces) contributes time-synchronized measurements; Level 4 (ERP/QMS) provides material status and release constraints. A robust EBR design minimizes manual transcriptions, ensures traceable interfaces, and defines clear ownership of exception logic.

Time synchronization across all levels (e.g., NTP discipline) is essential to defend exception timelines and reconcile root cause. Interface specifications should include data quality rules, error handling, and idempotency so exceptions are not duplicated or masked by retries.

A practical taxonomy clarifies configuration, workflow, and metrics. Classify by process area (materials, equipment, execution, lab, environment, data integrity) and by impact (critical, major, minor). Define whether an exception is blocking (halts execution or release) or advisory (requires review but may not block).

• Materials: wrong item/lot, expired/retest due, allergen mismatch, genealogy gap.
• Equipment: not qualified/calibrated, maintenance overdue, cleaning status unknown/failed line clearance.
• Execution: step timing out of bounds, weighment outside tolerance band, unauthorized bypass, two-person verification missing.
• Laboratory: OOS/OOT, sample integrity compromised, method system suitability failure.
• Environment: temperature/humidity excursion, differential pressure failure, microbial alert.
• Data integrity: orphan data, missing audit trail segment, clock drift anomaly, duplicate entry, uncontrolled attachment.

Severity drives workflow. Critical exceptions are release-blocking and typically auto-initiate a deviation/investigation; major require expedited QA review and may block; minor are trended for CPV. Configure auto-escalation (e.g., repeated minors within a window elevate to major) and define rule overrides with justified, signed, and audit-trailed rationale.

Start with approved master instructions and control strategy to derive rule intent: what constitutes conformance, what ranges/limits apply, and which verifications are permissive versus mandatory. For each rule, document source-of-truth (specification, SOP, validation protocol), data lineage, and disposition workflow. Apply GAMP 5 risk-based validation: categorize functions, assess potential impact to product quality and patient safety, and tailor verification accordingly.

• Design: unambiguous trigger logic, hysteresis/debounce for noisy signals, clear acceptance criteria.
• Security: role-based privileges for configuration, testing, and override; segregation of duties for author, tester, approver.
• Testing: boundary, negative, and stress cases; simulated device data; timezone/clock-drift scenarios; e-signature challenges.
• Traceability: URS-to-test-to-risk matrix linking each rule to its requirement and hazard control.
• Lifecycle: change control with impact assessment, regression testing, and periodic rule effectiveness review.

EBR depends on trustworthy data. Implement ALCOA+ practices, robust audit trails (who/what/when/why; original and changed values), and time synchronization. Enforce contemporaneous entries, prevent shared accounts, and require appropriate e-signatures under Part 11 with unique credentials. Ensure that audit trail review is risk-based and targeted to exception-triggering records and any subsequent edits, particularly for critical data.

• Access control: RBAC aligned to job roles; two-person e-signature for high-risk steps.
• Audit trail scope: configuration changes to rules, master data, limits, and user privileges; execution data additions/edits; exception status transitions.
• Clock and identity: monitor clock drift; bind device identity; secure interfaces with authenticated endpoints.
• Attachments: control external data (photos, PDFs) with checksum/versioning and metadata; avoid uncontrolled evidence stores.

Regulators expect that computerized systems supporting release provide complete, accurate, and enduring records. MHRA and PIC/S guidance emphasize governance, periodic review of data integrity controls, and training—critical adjuncts to technical controls in EBR contexts.

Treat EBR as a controlled process with its own metrics. Monitor exception rates, false-positive/false-negative ratios, time-to-disposition, and release lead time. Track RFT (Right-First-Time) at step and batch level and correlate to exception classes to guide continuous improvement. Use CPV trending to refine thresholds and to detect drift before it manifests as critical exceptions.

• Exception Rate per Batch: total exceptions ÷ executed checks.
• Critical Exception Density: critical exceptions per 1,000 execution steps.
• Mean Time to Disposition (MTTD): clock start at exception creation to final decision.
• False Positive Ratio: QA-closed with “no impact” ÷ total exceptions (by class).
• Release Lead Time: last execution step complete to QA disposition; stratify by exception presence.
• Repeat Exception Recurrence: count of same rule per product/site/period; triggers rule or process redesign.

Define statistical alert/action limits for exception volumes, and periodically review rule effectiveness. Where exceptions mask underlying process variability, integrate with CPV models and revise control strategies or rule logic accordingly.

Adopt a phased approach by product family and unit operation. Begin with high-maturity processes and equipment already integrated to MES and LIMS. Use FMEA and historical deviation data to prioritize rule candidates with the highest quality impact. Build rule libraries tied to master records, then pilot in shadow mode where automated exceptions are generated but QA still performs full review to calibrate false-positive/negative rates.

1. Process mapping and risk assessment to identify exception candidates and severities.
2. Define master limits, checks, and signatures; author rule specifications with traceability.
3. Interface hardening: device integration, time sync, error handling, and reprocessing logic.
4. Validate rule set (IQ/OQ/PQ) with representative data and boundary conditions.
5. Shadow run with dual review; tune thresholds and logic; finalize SOPs/work instructions.
6. Go-live with governance: dashboards, escalation SLAs, and periodic rule effectiveness reviews.

Train operators and QA on exception semantics, documentation expectations, and appropriate use of overrides. Reinforce that justified, recorded, and approved overrides remain fully visible to reviewers and auditors.

• Over-tolerant rules: hide true process drift; correct by aligning to validated control strategy and CPV data.
• Alert flooding: unprioritized advisory exceptions desensitize reviewers; implement severity, deduplication, and suppression windows.
• Rule drift without change control: ad hoc edits erode validation status; enforce configuration management and periodic review.
• Incomplete audit trails: missing configuration change history undermines defensibility; expand scope to include rule lifecycle.
• Hybrid gaps: paper side-processes create blind spots; digitize or define reconciliation checkpoints.
• Segregation-of-duties violations: authors approving their own rules or exceptions; enforce RBAC and independent review.
• Unsynchronized clocks: timelines become indefensible; monitor and alarm on NTP drift beyond defined limits.

V5 configures exception rules as versioned, testable artifacts bound to master batch/route and device interfaces. During execution, rules evaluate parameters, signatures, statuses, and lab results in real time. Exceptions are typed (critical/major/minor), severity-aware, and workflowed to QMS deviations or CAPAs as configured. Dispositions can programmatically place lots on quality hold in WMS, trigger LIMS retests, or set equipment to out-of-service in Maintenance until resolved. Dashboards surface exception load, SLAs, and blockers to release, while audit trails capture every state change with rationale and e-signatures.

Pharmaceutical solids/liquids often emphasize CPP/CQA limits, weighment tolerances, cleaning verification, and OOS/OOT integration. Radiopharmaceuticals add decay-correction, time-critical holds, and sterility controls where exception windows must consider half-life and aseptic timelines. Medical devices emphasize eDHR completeness, component genealogy, and process validation checks with focus on acceptance activities and supplier controls. Dietary supplements and food processing add allergen and sanitation checks, supplier CoA verification, and FSMA hazard controls where exception-based holds must block downstream consumption and shipment pending QA release.

Despite differences, the core EBR tenets remain: validated rules aligned to approved instructions, high-fidelity data capture with complete audit trails, risk-based workflows for exceptions, and integration that enforces dispositions across materials, equipment, and documents.