Review By Exception

Review By Exception (RBE) is a risk-based quality review approach where a validated MES enforces procedural controls, automatically verifies conformance to master records and specifications, and routes only exceptions—such as parameter out-of-limits, material mis-issue, missing signatures, step bypass attempts, equipment qualification lapses, data-integrity alerts, or algorithmic trend violations—to human QA for disposition. RBE’s purpose is not to reduce scrutiny, but to concentrate expert attention where risk is highest, while ensuring that compliant data are fully checked by the system and are retrievable, attributable, and auditable.

RBE applies to eBMR/eDHR-centric operations across pharma, biotech, medical devices, and regulated food/cosmetics domains. It rests on four pillars: trustworthy electronic records (21 CFR Part 11/Annex 11), complete and contemporaneous capture of execution data, robust exception taxonomy and routing, and validation demonstrating that automated checks are equivalent to manual verification for their intended use.

cGMP requires comprehensive review of production and control records prior to release. For drugs, 21 CFR 211.188 details what must be in batch records and 21 CFR 211.192 requires that any unexplained discrepancy be thoroughly investigated. For devices, 21 CFR 820.184 prescribes DHR contents and supports release accountability. Electronic implementations must satisfy 21 CFR Part 11 controls (validation, audit trails, record retention, secure e-signatures), and EU GMP Annex 11 echoes these expectations for computerised systems.

""Any unexplained discrepancy [...] shall be thoroughly investigated.""

RBE is a means to comply efficiently: the MES performs routine checks consistently and without fatigue; QA focuses on exceptions with full context, ensuring investigations meet regulatory depth. Regulators increasingly expect data integrity governance (e.g., MHRA guidance) and periodic review of audit trails; an RBE model must embed these practices, not defer them.

A clear taxonomy prevents under- or over-triggering. Categories typically span data quality, procedural conformance, equipment/asset state, materials/labeling, analytical results, and contextual signals from integrated systems (LIMS, historian, maintenance, WMS). Severity (critical, major, minor) and workflow routing rules must be defined in the master and governed via change control.

• Define exception severities aligned to product quality risk.
• Map each exception to owner, clock start, and required attachments (e.g., instrument printouts, historian traces).
• Implement escalation SLAs; time-bound unresolved critical exceptions automatically extend batch holds.

RBE depends on deterministic, enforceable MES logic. ISA‑88-aligned recipes and unit procedures should encode permissives, interlocks, parameter limits, enforced scan/ID checks, weigh-by-tolerance, and e-signature gates. Steps must be atomic, sequenced, and contemporaneously recorded with operator IDs, timestamps, device IDs, and raw values. Automated calculations (yields, mass balance, potency factors) should be recalculated by the system and range-checked.

• Force-digitize critical checks: identity scanning, expiry checks, equipment status, cleaning verification.
• Block progression on hard limits; allow controlled bypass only with role-based override, reason codes, and automatic exception creation.
• Integrate LIMS for specification pulls/results push; integrate historians for CPP trace overlays; integrate CMMS for calibration/PM state.
• Use role-based e-signature matrices for review/approval steps; log all signature challenges.

Trust in automated verification rests on ALCOA+ principles and robust audit trails per 21 CFR Part 11 and Annex 11. Each record must be attributable to a person/system, time-stamped, original (or a verified true copy), and unchanged or change-controlled with reason codes. MHRA’s GxP data integrity guidance expects risk-based, periodic audit trail review and event-driven reviews (e.g., prior to batch release) with defined scope and documented outcomes.

• Audit trails must capture who/what/when/why for creates, edits, deletions, and signatures; report filters must not alter source records.
• Configure event-driven audit trail review triggers for high-risk steps (e.g., CPP edits, specification changes, deviations).
• Document audit trail review frequency, roles, and sampling logic in SOPs; link exceptions from audit trail review back into the e-record.

RBE workflows should embed audit trail review as a prerequisite to QA disposition for batches with data edits, late entries, or anomalous patterns. Not every batch needs full manual line-by-line review, but every exception class requiring audit scrutiny must be explicitly defined.

Computerized System Assurance (CSA)/CSV for RBE emphasizes requirements clarity (URS), risk-based testing, and traceability. GAMP 5 (2nd ed.) recommends targeting testing effort proportionate to risk and complexity: business rules that gate release (e.g., specification checks, calculation verifications, genealogy completeness) merit focused negative testing and boundary analyses. The validation package must show that automated checks are reliable, repeatable, and auditable and that exception routing is correct under all defined states.

1. Define URS for RBE: exception taxonomy, severity mapping, routing, timers/SLAs, required attachments, and metrics.
2. Perform risk assessments to identify GxP-impacting functions; classify by GAMP categories and criticality.
3. Develop protocolized tests covering normal runs (no exceptions), each exception trigger, override behavior, and integration failure modes (e.g., LIMS/CMMS outage).
4. Establish objective evidence for audit trail completeness and e-signature controls (Part 11), including time sync and tamper evidence.
5. Trace to SOPs defining QA review, audit trail review, and release criteria.

RBE commonly blends 100% automated verification with risk-based human sampling for quality-relevant content that algorithms cannot fully contextualize (e.g., free-text narratives, manual attachments). Define sampling strategies driven by product risk, process capability, novelty (e.g., new processes), and supplier/material risk. For high-risk products or immature processes, plan higher manual sampling rates and targeted deep-dives (e.g., first three commercial batches, batches following major change control).

• Calibrate sampling rates using exception rates, process capability (Cp/Cpk), and complaint/recall history.
• Escalate to 100% manual review for a defined window upon detection of a material auditor or regulator observation related to data integrity.
• Document the statistical and quality rationale for sampling in SOPs; review annually in APR/PQR and management review.

RBE depends on clean, timely exchanges between Level 4 (ERP/specs, orders), Level 3 (MES/eBMR/eDHR, QMS), Level 2 (SCADA/PLC, historians), and peer systems (LIMS, WMS, CMMS). ISA‑95 provides the vocabulary and models to partition responsibilities and standardize interfaces. Exceptions often arise at boundaries—expired material in WMS, calibration overdue in CMMS, OOS in LIMS—so integrations must propagate context-rich events back to the e-record and trigger containment automatically.

Measure RBE performance with operational and quality KPIs. Track exception rates per batch/step/material, false-positive/false-negative rates of exception rules, mean/95th-percentile QA cycle time, rework on exceptions, and proportion of audit trail–originated exceptions. Correlate exceptions with yield, scrap, deviations, complaints, and recalls. Use trending to refine rules (tighten where weak signals miss issues; loosen where false positives overload QA).

• Exception aging by severity with SLA adherence.
• Batch release lead time vs. manual review baseline.
• Audit trail review findings rate and themes.
• Top-10 exception causes and corrective rule changes implemented via change control.

Govern KPI review through management review and APR/PQR. Any material trend indicating systemic false negatives must trigger a documented risk assessment and possible temporary elevation to enhanced manual review until controls are improved.

RBE can fail if implemented as a staffing shortcut rather than a control strategy. Frequent observations include incomplete exception taxonomies, unvalidated calculations, disabled checks without change control, lack of event-driven audit trail review, and release proceeding with open exceptions. Another anti-pattern is allowing manual record edits without contemporaneous reason codes and supervisory review, contradicting Part 11 and Annex 11 expectations.

• Equating RBE to “no review” instead of “review of risk-relevant exceptions.”
• Overriding hard limits routinely—this normalizes deviation and undermines state of control.
• Failing to train QA in interpreting system-generated evidence (e.g., historian overlays, algorithmic trend flags).
• Not maintaining time synchronization across systems; audit trails become unreliable.
• Neglecting device labeling/UDI checks within eDHR-based RBE, leading to traceability gaps.

V5 Ultimate implements RBE natively across one execution record by linking MES procedures, QMS deviations/CAPA, LIMS results, WMS/serialization, and Maintenance states. Exceptions spawned anywhere carry full context (who/what/when/why, raw values, attachments, historian traces) and automatically enforce holds, initiate investigations, and require role-based QA disposition before release. Part 11/Annex 11 controls, audit trail review workflows, and integration loss-of-signal behaviors are pre-modeled and validated to be tailored through change control.