QA ProcessQuality Assurance Process

Quality Assurance is the system of planned and documented activities that gives confidence the product will meet its requirements. Quality Control is the act of inspecting the product to confirm it does. The distinction is not academic: in 21 CFR 211.22 the Quality Control Unit is given a list of responsibilities that include both — but every regulated framework that came after, from ICH Q10 to ISO 13485, has separated the two because they require different skills, different reporting lines and different timescales.

QA is upstream and proactive: setting specifications, approving methods, qualifying suppliers, validating processes, controlling changes, investigating deviations, releasing batches against the agreed criteria. QC is downstream and reactive: testing components, in-process samples and finished product against those specifications. A plant that does only QC will catch most failures but learns nothing from them; a plant that does only QA but no QC has no evidence its system actually works. The two must coexist, with QA being the framework and QC being one of its tools.

ICH Q10 is the most influential single document on the modern QA process. It defines four elements that every quality system must include — process performance and product quality monitoring, CAPA, change management, and management review — and three enablers — knowledge management, quality risk management, and senior management responsibility. The four elements are how the system reacts; the three enablers are why the system can react well. Modern regulatory expectations across pharma, biotech, devices, supplements and food can be mapped to this structure even when the underlying regulation is older.

Day-to-day QA work resolves into five recurring loops, each with defined inputs, decision criteria, and outputs. A plant that runs all five cleanly will pass most regulatory inspections; a plant where any one loop is broken will create the deviation findings that drive the others.

1. Specification and method approval

Every CQA needs a specification with method, acceptance criteria, sample plan and release rule. QA approves these before a batch can be made; updates to a specification flow through change control with a regulatory-impact assessment.

2. Deviation and investigation

Every observed nonconformance opens a deviation. QA owns the investigation procedure, sets the depth of investigation by risk, drives root-cause analysis, and links the deviation to a CAPA where the trend or severity requires it.

3. Change control

Every proposed change to a specification, method, process, material, supplier, equipment, computerised system or document goes through change control. QA owns the procedure, assesses risk, determines required re-validation and regulatory notification, and tracks the change to closure.

4. Batch release / product disposition

Every batch is released against the agreed criteria — release-by-exception or full review, depending on the maturity of the system. QA owns the release decision, with the QP (EU) or QA Director (US) as the named signatory.

5. Monitoring and management review

QA trends the inputs from the other four loops, summarises into KPIs, and presents to senior leadership in a documented management review. The review produces actions that feed back into resource allocation, capital projects, and training plans.

QA does not own everything. Modern regulations push the doing of quality work into the line — operators perform IPVs, supervisors close minor deviations, engineers approve some changes — and reserve the unique QA roles for the decisions that require an independent view: spec approval, batch release, supplier qualification, audit response, and any disposition with a regulatory or safety impact.

ICH Q9 made risk-based decision-making the default in pharma; ISO 14971 did the same for devices. The practical effect on the QA process is that every decision — what to investigate, how deeply, what to change, when to revalidate, which supplier to qualify, which deviation closes as minor — is supposed to be informed by a risk assessment. Modern QA processes embed risk assessment into the workflow rather than running it as a parallel exercise.

The most common QA failure pattern is treating risk management as a one-time activity done at process design and never refreshed. The Q9(R1) revision in 2023 sharpened this: risk understanding must be updated when new information becomes available, and the management review must include risk-management effectiveness as an explicit input.

The QA process is only as strong as the documentation that records it. Document control under ISO 9001 §7.5 and ISO 13485 §4.2 requires that every controlled document — SOP, work instruction, specification, method, master record — has a defined owner, an approved revision, a defined effective date, a defined retention period, and a traceable change history. Records (the evidence the SOPs were followed) have similar controls plus a defined retention period that may extend decades for some product categories.

• Hierarchy: Quality Manual → SOPs → Work Instructions → Forms / Records.
• Approval: every revision signed by the document owner and the QA reviewer; effective date after training.
• Training: an SOP becomes effective only when the affected roles have signed the training record.
• Versioning: a single number traverses every controlled copy; obsolete copies removed from points of use.
• Audit: periodic review on a defined frequency (typically annual for SOPs).

Modern manufacturing depends on suppliers — CMOs, CDMOs, contract laboratories, ingredient and component vendors, calibration providers, sterilisation services. The QA process treats every one of them as an extension of the manufacturer's own quality system, with the same controls applied: written quality agreement, supplier qualification before first use, periodic supplier audit, supplier-corrective-action management when nonconformances occur, and trended supplier performance fed back into the management review.

FDA's Quality Agreement Guidance (2016 / 2024 revision) for contract manufacturing in the drug space sets the floor for written supplier obligations; ISO 13485 §7.4 does the equivalent for devices. ICH Q10's contract acceptance language reinforces that the contract giver retains ultimate responsibility for product quality regardless of how much of the process is outsourced.

The management review is the QA process's accountability mechanism. Senior leadership reviews a documented set of inputs on a defined frequency (quarterly is common), with documented outputs that include resource decisions, capital approvals and corrective actions on the system itself. ISO 9001 §9.3 and ISO 13485 §5.6 enumerate the required inputs; ICH Q10 §3.2.4 gives the pharma equivalent.

• Customer feedback and complaints
• Supplier performance
• Deviation, CAPA and change-control trends and aging
• Audit results — internal, external, regulatory
• Process performance and product quality monitoring data
• Status of actions from previous reviews
• Resource adequacy and training effectiveness
• Recommendations for system improvement

Trends matter more than absolute numbers. A rising open-CAPA backlog, an increasing share of deviations classified as 'minor' when severity criteria are not enforced, a flat training-completion rate while headcount grows — these are the early warning indicators that drive the next year's quality plan.

• QA reports through Production, breaking the §211.22(c) independence requirement.
• Deviation backlog growing while severity classification is downgraded to mask the trend.
• Change controls closed before re-validation is complete, with the closure justified retrospectively.
• Supplier qualification is a paper exercise — questionnaire returned, no audit, no agreement.
• CAPA effectiveness checks closed as 'no recurrence in 90 days' without statistically defensible evidence.
• Management review held but not documented, or documented with actions that never close.
• Quality KPIs that count meetings rather than outcomes.
• Internal audit programme that audits only the same ten areas every year.
• Training-completion rates reported as percentages without distinguishing role-specific competence from generic awareness.

V5 implements the ICH Q10 framework as the operating shape of the platform: document control, training, deviation, CAPA, change control, MRB, audit, supplier and management review live in one system with one identity model, one audit trail and one set of e-signatures. The five QA loops run as configured workflows; the KPIs feed a real-time dashboard that powers the management review; the cross-loop links (deviation → CAPA → effectiveness, change → revalidation → CPV) are first-class objects rather than spreadsheet cross-references.

• Single audit trail across documents, batches, deviations, CAPAs, MRBs and supplier records — searchable in seconds.
• Severity classification with controlled lists; downgrade requires a documented justification.
• Change control with regulatory-impact assessment and revalidation gates built in.
• Effectiveness checks scheduled at CAPA closure; the check chases its own closure.
• Management review with auto-assembled inputs; outputs become tracked actions with owners.
• Supplier scorecards with audit cycle, qualification status and corrective-action aging in one view.