Pharma /

Gmp

/

General Information

GMP Process Documentation

OBS Configuration

Work in Progress

Table of Contents

Allowed Process Workflows 2
Complaint → Investigation → Deviation (if needed) → CAPA (if needed) → Change Control (if needed) 3
Deviation → (Investigation if needed) → (CAPA if needed) → (Change Control if needed) 4
Deviation → (CAPA if needed) → (Change Control if needed) 5
Direct Change Control 6
Deviation Management 7
Pre-Approval Phase 7
Approval Workflow 8
Due Date Extension Process 11
Investigation Management 13
Investigation Overview and Fields 14
Departmental Feedback Requests 16
Investigation Approval Process 17
CAPA 18

Allowed Process Workflows

Depending on the situation, the system supports multiple workflows for managing complaints, deviations, investigations, CAPAs, and change controls.

Each workflow follows a predefined logic, ensuring full traceability, regulatory compliance, and process integrity.

All possible workflows can be grouped into four main types, which reflect the most common and allowed scenarios in the system.

Each of them includes optional steps, depending on the outcome of the review or assessment at each stage.

Below is a complete list of the allowed flows within these four types:

Complaint → Investigation → Deviation (if needed) → CAPA (if needed) → Change Control (if needed)

  • Complaint → Investigation → Deviation (if needed) → CAPA (if needed) → Change Control (if needed)
  • Complaint → Investigation → no Deviation → close
  • Complaint → Investigation → Deviation → no CAPA → close
  • Complaint → Investigation → Deviation → CAPA → no Change Control → close
  • Complaint → Investigation → Deviation → CAPA → Change Control

Deviation → (Investigation if needed) → (CAPA if needed) → (Change Control if needed)

  • Deviation → (Investigation if needed) → (CAPA if needed) → (Change Control if needed)
  • Deviation → no Investigation → close
  • Deviation → Investigation → no CAPA → close
  • Deviation → Investigation → CAPA → no Change Control → close
  • Deviation → Investigation → CAPA → Change Control

Deviation → (CAPA if needed) → (Change Control if needed)

  • Deviation → (CAPA if needed) → (Change Control if needed)
  • Deviation → no CAPA → close
  • Deviation → CAPA → no Change Control → close
  • Deviation → CAPA → Change Control

Direct Change Control

  • Direct Change Control
  • Change Control (initiated directly)

Each of these workflows is described in detail in the sections below.

The structure explains when each step is required, what decisions are made, and what paths are allowed based on the situation.

Complaint → Investigation → Deviation (if needed) → CAPA (if needed) → Change Control (if needed)

When a Complaint is registered, the system always starts an Investigation.

The Investigation analyzes the situation and can lead to two outcomes:

  • If everything is acceptable or no issue is confirmed, no Deviation is created. The process ends after the investigation is closed.
  • If a problem is confirmed, a Deviation is registered.

After the Deviation is created:

  • It cannot start a new Investigation, because the case was already investigated through the complaint.
  • The deviation is reviewed, and based on the risk or impact:
    • A CAPA can be created, or
    • The deviation can be closed without a CAPA.

If a CAPA is created, the process can continue to Change Control, but only if a permanent or procedural change is needed.

Summary of possible paths:

  • Complaint → Investigation → no Deviation → close
  • Complaint → Investigation → Deviation → no CAPA → close
  • Complaint → Investigation → Deviation → CAPA → no Change Control → close
  • Complaint → Investigation → Deviation → CAPA → Change Control

Key rules:

  • Only one Investigation is allowed in this chain.
  • Only one CAPA can be created from the deviation.
  • The process is one-directional and traceable.

Deviation → (Investigation if needed) → (CAPA if needed) → (Change Control if needed)

This workflow starts with a Deviation, which is reported when something unexpected or non-compliant happens during operations.

Once the deviation is registered, it goes through a review and approval process.

During this stage, the responsible approvers decide whether an Investigation is needed.

If no investigation is needed:

  • The deviation can be closed after review.
  • No further actions are required.

If an investigation is needed:

  • The process continues with an Investigation to analyze the root cause and assess the impact.

During the investigation, the quality team evaluates whether a CAPA is necessary.

From the investigation:

  • If the issue is minor or already resolved, no CAPA is created. The deviation is closed after the investigation.
  • If corrective or preventive action is needed, a CAPA is created.

Inside the CAPA, the team evaluates whether a Change Control is required to apply long-term changes (e.g., updates to procedures, specifications, systems).

From the CAPA:

  • If no procedural or system change is needed, the CAPA ends the process.
  • If a change is required, the process continues with a Change Control.

Allowed flows in this workflow:

  • Deviation → no Investigation → close
  • Deviation → Investigation → no CAPA → close
  • Deviation → Investigation → CAPA → no Change Control → close
  • Deviation → Investigation → CAPA → Change Control

Key rules:

  • Only one investigation can be created from a deviation.
  • The investigation cannot create a new deviation, because the deviation already exists.
  • Only one CAPA can be created per investigation.
  • Only one Change Control can be created from the CAPA.

Deviation → (CAPA if needed) → (Change Control if needed)

This is the most direct workflow.

It starts with a Deviation, which is registered when a non-conformity or unexpected situation occurs.

After review, the responsible team evaluates whether a CAPA is needed.

From the Deviation:

  • If no corrective or preventive action is required, the deviation is reviewed and closed.
  • If action is required, a CAPA is created directly, without starting a separate investigation.

Inside the CAPA, the team assesses whether a Change Control is needed.

From the CAPA:

  • If the actions do not require updates to documents, procedures, or systems, the CAPA is completed and the process ends.
  • If a permanent or formal change is required, a Change Control is started to implement it.

Allowed flows in this workflow:

  • Deviation → no CAPA → close
  • Deviation → CAPA → no Change Control → close
  • Deviation → CAPA → Change Control

Key rules:

  • Only one CAPA can be created per deviation.
  • Only one Change Control can be created per CAPA.
  • No investigation is part of this flow.
  • The flow is used when the root cause is clear and no further analysis is needed.

Direct Change Control

In some cases, a Change Control can be created directly, without going through a deviation, investigation, or CAPA.

This applies to planned or proactive changes, such as:

  • Process improvements
  • Equipment upgrades
  • Procedure updates
  • Regulatory-driven changes
  • Periodic reviews

These changes are not triggered by a non-conformity or issue, but are part of ongoing quality system maintenance or business improvements.

How it works:

  • A user with the appropriate role initiates a Change Control request.
  • The request goes through the standard approval process, including quality and regulatory review if required.
  • The change is implemented only after full approval.

Allowed flow in this case:

  • Change Control (initiated directly)

Key rules:

  • No deviation, investigation, or CAPA is required before starting.
  • All standard validation, documentation, and approval steps still apply.
  • This type of change must still follow full traceability and audit trail requirements.

Deviation Management

Pre-Approval Phase

Deviations can be created in two ways:

  • Manually: A user identifies a non-conformity or unexpected event and registers a deviation directly in the system.
  • Automatically: A deviation is created after a complaint investigation is completed, if the outcome confirms that a deviation is necessary.

No matter how the deviation is created, the process for entering and reviewing the initial information is the same.

Once the deviation is created - either manually or automatically - the first step is to complete the required form.

This is done by the employee who initiates the deviation and must be finished before the deviation can move to the approval workflow.

Below is a section-by-section guide to the information that must be entered.

1. General Information

  • Company - Select the legal entity where the deviation occurred (e.g., Ocean Stellar).
  • Department - Choose the department responsible for the area or process affected.
  • Name - Provide a short, clear title that identifies the deviation.
  • Code (readonly) - This code is generated automatically by the system and cannot be edited.

2. Occurrence Details

  • Occurred On - Enter the exact date and time when the deviation happened.
  • Reported By (readonly) - This is automatically filled in by the system with the name of the employee who registered the deviation.
  • Due date - Set the proposed deadline for resolving or closing the deviation.
    The due date can be changed manually only during the approval phase. Once the deviation is fully approved, and especially if it continues to investigation, the due date cannot be edited directly. Any change must go through a due date extension request, which is approved by the department manager, quality assurance, and the final approver (QP or Responsible Pharmacist). Only after all approvals are given, the new due date is applied.

3. Categorization

  • Deviation Type - Select:
    • Planned – the deviation was expected and authorized in advance.
    • Unplanned – the deviation occurred unexpectedly.
  • Repeat Occurrence - Indicate whether this deviation has occurred before: Yes, No, or N/A
  • Preliminary Categorization - Choose the initial classification based on severity: Minor, Major, or Critical

4. Deviation Description

  • Description - Provide a clear and detailed explanation of what happened and what the deviation involves.

5. Deviation Source

  • Affected Product - Specify the product involved, if applicable.
  • Batch (optional) - Select the batch number if the deviation is related to a specific production batch.
  • Equipment (optional) - Add the equipment involved in the deviation, if relevant.
  • Complaint (readonly) - If the deviation was created from a complaint, this field will be populated automatically.

6. Justification

  • Justification - Explain briefly why this deviation is being documented and what justifies its creation.

7. Immediate Actions

  • Immediate Action Taken - Select Yes or No depending on whether any actions were taken immediately after the deviation was identified.
  • Description of Action - If Yes, describe what action was taken and when.

Sections Visible But Not Completed at This Stage

There are two additional sections visible in the deviation form. These fields are not filled in by the creator of the deviation, but are completed later during the approval process by designated roles (e.g., Quality, QP, or Department Head):

8. Final Regulatory Decision

  • Final Categorization - The definitive classification of the deviation (e.g., Major), determined by Quality or a QP.
  • Final Approver Role - Indicates who is responsible for the final decision (e.g., Responsible Pharmacist).

9. Post Approval Actions

  • Requires Investigation - To be selected if an investigation is required. If selected, the Investigation Leader must be assigned.
  • Requires CAPA - To be selected if corrective or preventive actions will follow.
  • Requires Change Control - To be selected if a permanent change is needed.
  • Post Approval Notes - Used to capture comments or decisions made during the approval process.

Approval Workflow

Once the deviation form is completed and submitted, the system starts the approval workflow.

The approval process follows these steps:

  1. For Department Review
  2. For Quality Review
  3. For QP / Responsible Pharmacist Review
  4. Completed

Each approval step gives the reviewer the following options:

  • Approve → Move the deviation to the next step.
  • Send Back to Start → Return the deviation to the author with required comments.
  • Permanently Reject → End the process with no further actions.

Step 1: For Department Review

  • When the deviation is moved to “For Department Review”, the system sends an email notification to the Department Manager.
  • The department reviewer opens the deviation and reviews all provided information.
  • Available actions:
    • Approve → The deviation moves to “For Quality Review”.
    • Send Back to Start → The reviewer enters comments explaining what must be corrected. The system notifies the deviation author, who must revise and resubmit.
    • Permanently Reject → The deviation is closed and moved to the Permanent Rejection status.

Step 2: For Quality Review

After approval from the department, the deviation is routed to the Quality Assurance (QA) team.

QA reviewers must perform two key actions before approving:

A. Final Categorization and Final Approver Role

  • Final Categorization: Confirm or adjust the final severity level (Minor, Major, or Critical).
  • Final Approver Role: Select whether the final reviewer will be a:
    • Qualified Person (QP) or
    • Responsible Pharmacist (M.Pharm.)

This selection determines who the deviation is sent to for final approval.

B. Post Approval Actions

  • QA determines whether further action is required:
    • Requires Investigation: If selected, an investigation will be created automatically after approval. The Investigation Leader must be assigned.
    • Requires CAPA: If selected, a CAPA will be created after approval.
    • Post Approval Notes: QA can enter comments for traceability.

Once these fields are completed, QA can:

  • Approve → The deviation moves to the selected final approver.
  • Send Back to Start → With comments that the author must address.
  • Permanently Reject → The deviation is closed and not processed further.

Step 3: QP / Responsible Pharmacist Review

Based on the selection made by QA, the deviation is sent to the Qualified Person (QP) or the Responsible Pharmacist for final review.

At this step, the final reviewer has full access to the following fields and can review and make changes if needed:

  • Final Categorization
  • Final Approver Role
  • Post Approval Actions, specifically:
    • Requires Investigation
    • Requires CAPA

The reviewer then chooses one of the following:

  • Approve → The deviation moves to the final stage, Completed, or continues to the investigation/CAPA process.
  • Send Back to Start → With comments to the author for correction.
  • Permanently Reject → Ends the process.

What Happens After Final Approval?

Once the deviation is fully approved by the final approver, the system checks the selected Post Approval Actions and proceeds accordingly:

  • If no further actions are selected:
    • The deviation is marked Completed and the process ends.
  • If Investigation is required:
    • An investigation is created automatically.
    • The deviation moves to status “Investigation in Progress”.
    • When the investigation is completed, the system will automatically update the deviation to status Completed.
  • If CAPA is required:
    • A CAPA is created automatically.
    • The deviation enters status Completed, and the process continues in the CAPA module.

Note: Only one follow-up action can be selected — either Investigation or CAPA, but not both.
The system does not allow selecting both at the same time. The appropriate path must be chosen based on the nature and risk of the deviation.

Due Date Extension Process

Once a deviation is approved, the due date can no longer be changed manually.

If additional time is needed after approval, the user must request a Due Date Extension through a formal process.

This ensures that all changes to deadlines are fully traceable and approved by the responsible roles.

In the deviation screen, users will see two buttons on the left side:

  • View due date extensions
  • Request due date extension

Viewing Due Date Extension Requests

Clicking View due date extensions opens a table showing all extension requests made for the current deviation.

Each request is listed with the following details:

  • ID – a clickable button that opens the specific request
  • Status – current stage or final outcome of the request
  • Previous Due Date – the original deadline before the request
  • New Due Date – the proposed updated deadline
  • Justification – the reason provided by the requestor

From this table:

  • Approvers can open and review requests
  • The requestor or QA can access and cancel a request if needed
  • If the request is still in progress, approval actions can be taken directly from here

This view helps all involved users and approvers monitor the full history and current state of due date extensions for the deviation.

Request Due Date Extension

Clicking Request due date extension opens a pop-up window with two fields:

  • Justification for extension – explain why more time is needed.
  • New due date – enter the new proposed deadline.

Once both fields are filled in, click OK to submit the request.
This starts the official approval process.

Approval Flow for Due Date Extension

The approval matrix follows the same order as the main deviation approval process:

  1. The request is first sent to the Department Manager.
    They can either:
    • Approve → moves the request to For Quality Review, or
    • Reject → moves the request to Rejected (must enter a comment).
  2. Then the Quality Assurance (QA) reviewer can:
    • Approve → moves the request to For Final Approval, or
    • Reject → request is marked as Rejected (comment required).
  3. The final approver is the same role selected in the original deviation - Either the Qualified Person (QP) or the Responsible Pharmacist.
    They can:
    • Approve → the new due date is applied to the deviation, and the request is marked Completed.
    • Reject → the request is marked as Rejected, and the author is notified.

Important:

  • For each approval step, approvers can optionally add a comment when approving.
  • If they reject, a comment is mandatory to explain the reason.
  • The author is automatically notified if the request is rejected and can submit a new one if needed.

Canceling a Request

In specific cases, a due date extension request can be cancelled.

This can be done by:

  • The author of the deviation
  • Мember of the Quality Assurance team

Rules and System Limitations

To ensure proper tracking and avoid misuse, the system applies the following rules:

  1. Only one active request at a time:
    You cannot submit a new request if there is already one that is not yet closed (approved or rejected)
  2. Each combination of dates must be unique:
    • You cannot submit a request with the same new due date as a previous one.
    • You cannot submit a request with the same previous due date twice.
  3. The new due date must be later than the current one:
    The system will reject the request if the new date is not after the current due date.

This controlled extension process ensures full traceability, proper escalation, and a consistent way to manage deviations requiring more time.
It protects the integrity of deadlines while still allowing flexibility through a structured workflow.

Investigation Management

Investigations are used to assess the root cause, impact, and risk of deviations or complaints that require deeper analysis.

They help determine whether further action such as a deviation or a CAPA is needed.

Each investigation is led by an assigned Investigation Leader, who is responsible for:

  • Managing the investigation process
  • Collecting feedback from relevant departments
  • Summarizing the findings
  • Submitting the investigation for approval

An investigation can be created in two ways:

  • From a Complaint
  • From a Deviation

In both cases, the Investigation Leader is selected at the source level (complaint or deviation).
When the investigation is created, the system automatically sends an email notification to the assigned leader.

Once the investigation is initiated, the leader fills in the required fields and then assigns feedback requests to departments.

This is done by selecting the relevant departments and submitting requests within the investigation form.

For each selected department, the system automatically creates three feedback tasks:

  • Impact Risk Analysis
  • Investigation Root Cause
  • Investigation Summary

These tasks are completed by the department manager (or a delegated assignee).

Once all feedback is provided, the Investigation Leader writes a final recap in the investigation and then submits it for approval.

The approval matrix is the same as for deviations:

  1. Department Manager
  2. Quality Assurance
  3. Qualified Person or Responsible Pharmacist

After final approval, the system proceeds based on the post-investigation decision:

  • If a Deviation is required (for investigations from complaints), one will be created.
  • If a CAPA is required, the system will continue with the CAPA process.

This structured approach ensures that investigations are handled consistently, with input from all affected areas, and that proper action is taken based on the outcome.

Investigation Overview and Fields

Once an investigation is created, the Investigation Leader is responsible for completing and managing the following fields and sections:

General Information

This section is filled in automatically by the system based on the originating complaint or deviation.

  • For Company – the legal entity the investigation belongs to
  • For Department – the responsible department
  • Deviation – linked deviation (if the source is a deviation)
  • Complaint – linked complaint (if the source is a complaint)

Investigation

Basic investigation details. Most fields are filled automatically but can be updated if needed.

  • Name – the investigation name, copied from the complaint or deviation
  • Investigation Leader – auto-filled; can be changed after creation
  • Code – generated automatically by the system
  • Date – the creation date of the investigation

Description and comments

  • Description – a short description, prefilled from the complaint or deviation; can be edited
  • Comments – a general-purpose comment field used during reviews, approvals, or internal notes

Investigation Connection

Details that link the investigation to related operational items.

  • Product – the affected product, if applicable
  • Batch – batch number related to the investigation
  • Equipment – the equipment involved in the issue

Production and Customer Notification

Information about production and customer impact.

  • Continue Production – Yes, No, or N/A
  • Customer Notified – Yes, No, or N/A
  • Customer Notification Date – date when customer notification was sent (if applicable)

Risk Assessment

This section evaluates the level of risk using the RPN method (Risk Priority Number).

  • Impact Severity – Low (1), Medium (2), or High (3)
  • Probability – Low (1), Medium (2), or High (3)
  • Detectability – Low (1), Medium (2), or High (3)
  • Risk Score – calculated automatically using the formula:
    Risk Score = Impact Severity × Probability × Detectability
    The result ranges from 1 to 27.
    Higher scores indicate greater risk and help prioritize the need for corrective actions.

Investigation Recap

This section is completed by the Investigation Leader once all department feedback is collected.

(Details on department feedback will be explained in the next section.)

  • Supplier Qualification Impact – Yes, No, or N/A. Indicates whether the issue affects supplier qualification or compliance.
  • Final Approver Role – sets the final approval role (e.g., QP or Responsible Pharmacist). This is normally carried over from the source deviation or complaint, but must be set by QA if not pre-filled.
  • Impact Risk Analysis – entered by the Investigation Leader once all departmental feedback is received.
  • Investigation Root Cause – summary of the identified root cause based on collected input.
  • Investigation Summary – overall investigation conclusion, based on all findings and feedback.

Post Approval Process

This section defines the next steps after the investigation is completed and approved.

  • Deviation Required – Yes / No. Used only when the investigation originates from a complaint, to determine if a deviation should be created.
  • CAPA Required – Yes / No. Indicates whether the investigation should trigger a Corrective and Preventive Action.
  • CAPA Justification – explanation of why a CAPA is needed.
  • CAPA Responsible – person who will be assigned to the CAPA.
  • CAPA Must Close with Deviation – Yes, No, or N/A. Indicates whether the deviation and CAPA should be closed together.

Departmental Feedback Requests

As part of the investigation process, the Investigation Leader is required to involve other departments by requesting their input.

This is done through the “Departmental Feedback” tab in the investigation screen.

Important:
The investigation cannot be moved to the “In Progress” step unless at least one departmental feedback request has been created.
This ensures that every investigation includes cross-departmental input from the beginning.

These requests are used to gather structured reports from departments regarding:

  • Impact Analysis
  • Root Cause Investigation
  • Investigation Summary

Creating a Departmental Feedback Request

To create a feedback request, the Investigation Leader navigates to the “Departmental Feedback” tab and clicks “Add”.

The following fields must be completed:

  • Department - Select the department from which feedback is required. The list includes all departments in the organization.
  • Deadline - Set the date by which the department must complete the request. This deadline will automatically be applied to all related tasks.
  • Request - Enter a short title for the request. This will appear in the name of the tasks created.
  • Description - Provide more details about what is needed from the department. This will be included in the task descriptions.

After clicking Add, the system automatically creates three tasks linked to this request:

  1. Investigation Summary
  2. Root Cause Investigation
  3. Impact Analysis

Each task is assigned to the Department Manager of the selected department.

They immediately receive an email notification with a direct link to the assigned tasks.

How Department Feedback is Submitted

The assigned Department Manager can:

  • Complete the task personally
  • Reassign the task to a team member within their department.

The person responsible for each task must enter their findings in the “Execution Report” field and then move the task to status “Completed”.

These tasks ensure structured and consistent reporting from each department involved in the investigation.

Completion Requirement

The investigation cannot be submitted for approval until all departmental feedback tasks are completed.

The Investigation Leader can submit the investigation for approval only after all assigned departments have completed their tasks.

Investigation Approval Process

Before an investigation can move forward, all departmental feedback tasks must be completed.

The Investigation Leader can only submit the investigation for approval after all requested departments have finished their input.

The approval process follows the same structure as deviation approvals, using a clearly defined approval matrix.

1. Department Review

Once the investigation is ready, the Investigation Leader submits it for Department Approval.

The system automatically sends an email notification to the Department Manager of the department where the original complaint or deviation occurred.

The manager reviews the investigation and chooses one of the following actions:

  • Approve - The investigation moves to the next step: For QA Review.
  • Send Back to Start
    • The manager enters comments explaining what needs to be corrected.
    • The Investigation Leader is notified and must update the investigation before submitting it again.

2. Quality Assurance Review

After the department approves, the investigation is sent to the Quality Assurance (QA) team.

QA reviewers can also:

  • Approve - The investigation moves to the Final Approval step.
  • Send Back to Start - Comments must be added. The Investigation Leader is notified and must revise and resubmit.

3. Final Approval – QP or Responsible Pharmacist

The final approver is determined based on the field Final Approver Role, selected during the investigation setup (or inherited from the related deviation or complaint). This can be either the Qualified Person (QP) or the Responsible Pharmacist (M.Pharm.).

They review the completed investigation and then:

  • Approve - The investigation is marked Completed.
  • Send Back to Start - Comments are required. The investigation must be revised and resubmitted.

What Happens After Final Approval?

Once the investigation is fully approved, the system checks the Post Approval Process settings to determine the next steps:

  • If no follow-up is selected: The investigation is complete, and the process ends.
  • If “Deviation Required” is selected (only for investigations created from complaints): A Deviation is automatically created and linked to the investigation.
  • If “CAPA Required” is selected: A CAPA is automatically created and the process continues in the CAPA module.

This ensures the investigation leads to appropriate follow-up actions, based on risk and findings.

CAPA

TO BE COMPLETED…