A QA manager responsible for reviewing maintenance records across a 200-asset pharmaceutical facility has two options: review every record, every week — a task that takes 8 to 12 hours and produces diminishing returns because 95% of records are unremarkable — or review only the records that deviate from expected behaviour. The second approach is review by exception. It does not lower the quality of oversight. It improves it — because a QA team spending 10 hours reviewing 200 normal records has less bandwidth to deeply investigate the 4 records that actually need attention than a team spending 2 hours reviewing only those 4. The challenge is that exception-based review requires a system that already knows what "normal" looks like for each asset and flags deviations automatically. Book a demo to see OxMaint's exception dashboard for pharma maintenance records — or start free and configure your first exception rules today.
Blog · Data Integrity · QA Review · GMP
Maintenance Record Review by Exception for QA
Stop reviewing 200 records to find the 4 that need attention. A QA exception dashboard surfaces only what deviates — so your team reviews smarter, not longer.
95%
Of maintenance records reviewed weekly are unremarkable — no exception, no action needed
8–12 hrs
Typical weekly QA review time under full-record review approach
1–2 hrs
Typical weekly review time using exception-based flagging
4× deeper
Investigation quality on flagged records when QA is not fatigued by volume
The 5 Exception Categories That Matter Most for Pharma Maintenance QA
Not every deviation from expectation is equally important. These five categories cover the exception types that generate the most significant GMP compliance risk — and the ones FDA investigators look for first when reviewing a site's maintenance records during inspection.
Missed or Overdue PM
Risk Level: High
A PM work order past its due date on a critical or major asset is an immediate GMP exception. Under 21 CFR 211.182, PM must be performed according to a written schedule. Overdue PMs on equipment directly linked to batch production create a documentation gap that investigators will trace to the affected batches.
Exception flag: Work order not closed within 110% of scheduled interval on Critical / Major assets
Unsigned or Incomplete Work Order
Risk Level: High
A work order marked "complete" without a technician e-signature, without all required fields filled, or without mandatory attachments (calibration certificate, inspection photo) is a data integrity failure under ALCOA+. These are frequently found during internal audits and consistently cited in FDA warning letters as examples of inadequate documentation culture.
Exception flag: Work order status = Closed AND (e-signature missing OR required field blank OR mandatory attachment absent)
Record Edited After Closure
Risk Level: Critical
Any modification to a closed, signed work order is a potential data integrity event requiring investigation. Legitimate corrections must be documented with reason-for-change and re-signed. Unexplained modifications to closed records — particularly those linked to batches that were released to market — are the type of finding that escalates from a 483 observation to a Warning Letter.
Exception flag: Any field change to a record with status = Closed, regardless of who made the change
Overdue QA Approval
Risk Level: Medium
A work order pending QA review that has been sitting in the approval queue for more than 5 business days indicates a process bottleneck — and a gap in real-time quality oversight. Deviations and CAPA records requiring QA review that are not actioned within defined timelines demonstrate a quality system that does not function at the speed its SOP claims.
Exception flag: Work order or deviation pending QA signature for > 5 business days
Repeat Failure on Same Asset
Risk Level: High
Two or more breakdown work orders on the same asset within a rolling 90-day window indicate a recurring problem that the current PM programme is not addressing. This is a trend signal — not just a maintenance issue. Under 21 CFR 211.192, recurring equipment failures require investigation, and a CAPA that failed to prevent recurrence requires a documented effectiveness review.
Exception flag: 2+ corrective work orders on the same asset ID within 90 days, no linked CAPA
EXCEPTION REVIEW · OXMAINT · GMP QA
OxMaint Surfaces Every Exception. Your QA Team Reviews Only What Needs Review.
Configure exception rules per asset criticality, review cadence, and QA escalation threshold. OxMaint flags the deviations. Your team investigates them. Compliance is maintained at a fraction of the review time.
Full Review vs Exception Review — What QA Time Actually Looks Like
| QA Review Activity | Full-Record Review | Exception-Based Review |
|---|---|---|
| Time spent per week (200-asset site) | 8–12 hours — every record read regardless of status | 1–2 hours — only flagged exceptions reviewed in depth |
| % of records that needed action | 3–8% — but QA had to read 100% to find them | 100% of reviewed records need action — zero wasted reviews |
| Depth of investigation on flagged items | Shallow — QA fatigued after reviewing 180 normal records | Deep — QA fresh, focused, and starting from the exception flag context |
| Missed exceptions due to volume fatigue | Common — critical items buried in volume of normal records | Structurally prevented — system flags before QA looks |
| Audit trail of QA review activity | Often absent — no record that QA looked at a record and found it acceptable | Automatic — each exception reviewed is logged with QA e-signature and disposition |
| FDA readiness | Depends on QA not having missed something in volume | Documented exception log shows systematic, risk-based oversight — what FDA expects |
How to Structure a GMP Review-by-Exception Programme
A review-by-exception programme is not just a software configuration — it is a documented quality process. These four components are required for the programme to be defensible in an FDA inspection.
1
Define Exception Rules Per Asset Criticality
Exception thresholds must differ by asset criticality. A critical asset (direct product contact, sterility-critical, batch-release instrument) triggers an exception at 110% of scheduled PM interval — a major asset at 120%, a minor asset at 130%. These thresholds must be documented in the site's Quality Management Plan or Calibration Master Plan, not just configured in software.
2
Assign Named Reviewers and Cadence
Review-by-exception is not anonymous. Each exception category must have a named QA reviewer assigned, a review cadence (daily for Critical closures, weekly for Major, monthly summary for Minor), and a documented escalation path if the exception is not actioned within the defined SLA. The RACI for exception review must be version-controlled and current.
3
Document Disposition for Every Reviewed Exception
Every exception that was reviewed and found acceptable must have a documented disposition — not just "no action taken." The acceptable dispositions are: closed (exception resolved), escalated to deviation investigation, or accepted with documented justification. An exception reviewed and found acceptable with no record of the review is indistinguishable from an exception never reviewed at all.
4
Generate Monthly Exception Summary for Management Review
Monthly exception summaries — total exceptions by category, closure rate, average resolution time, and repeat exception trends — are the data that management review meetings need to identify systemic maintenance quality issues before they become inspection findings. A site that cannot show exception trends over time has no documented evidence of proactive quality oversight.
Expert Review
"The most inspection-ready pharmaceutical sites I have worked with do not have the most diligent QA reviewers — they have the smartest review systems. Review by exception is not a shortcut. It is the correct application of risk-based thinking to a quality oversight process. When a QA manager spends ten hours reading every maintenance record every week, their ability to deeply investigate the records that actually contain problems is degraded by volume fatigue. When the system does the first pass — flagging the overdue PM, the incomplete form, the post-closure edit, the record with no CAPA despite two failures on the same asset in ninety days — the QA manager arrives at each review with full context, clear evidence, and the cognitive bandwidth to make a genuinely risk-based quality decision. FDA expects quality oversight to be risk-based. Review by exception is what risk-based quality oversight looks like in practice."
Dr. Priya Nair, PE, CCP, LEED AP
Licensed Mechanical Engineer · Certified Commissioning Professional (AABC) · 16 years pharmaceutical GMP quality systems design and FDA inspection readiness · Specialist in risk-based QA review framework implementation across API and finished dose sites
Frequently Asked Questions
Is review by exception compliant with GMP documentation requirements?
Yes — provided the exception programme is documented, risk-based, and produces evidence that review occurred. GMP regulations require quality oversight, not exhaustive manual review of every record. FDA guidance on quality systems explicitly endorses risk-based approaches to quality oversight, which review by exception directly implements. The key compliance requirement is that the exception rules, reviewer assignments, cadence, and disposition records are documented in an approved quality document — and that the exception review itself generates a dated, signed record proving the review was performed.
What exception rules should be configured for a small pharma site with limited QA resource?
For a small site, focus exception rules on the three highest-risk categories: overdue PM on Critical assets (flag at 110% of interval); unsigned or incomplete work orders on any asset involved in batch production; and any record modification after closure. These three rules capture the exception types most likely to appear in an FDA inspection. Secondary rules — repeat failures, overdue QA approvals — can be added once the primary programme is operational and review capacity is established. Book a demo to see how OxMaint's exception rules are configured per site.
How does OxMaint generate and present maintenance record exceptions for QA review?
OxMaint evaluates every maintenance record against configured exception rules at each system sync. Flagged exceptions appear in the QA review dashboard organised by category, asset criticality, and date flagged — with direct links to the underlying record, the asset history, and any linked deviations or CAPAs. QA reviewers sign off each exception with an e-signature and documented disposition, creating the review audit trail required for FDA inspection. Monthly exception summaries are auto-generated and available as reports without manual data assembly. Start free to configure your site's exception review rules.
What is the difference between an exception review and a periodic review in pharma QA?
A periodic review is a scheduled review of all records within a defined period — weekly, monthly, or quarterly — regardless of whether any record contains a deviation. A review by exception surfaces only records that deviate from defined normal parameters for immediate QA attention, independent of schedule. In practice, most compliant programmes use both: exception review for immediate risk response, and periodic review for trend analysis and system health checks. OxMaint supports both — exception flags in real time and scheduled periodic review digests that summarise the exception record for the period.
QA REVIEW · EXCEPTION DASHBOARD · OXMAINT
Stop Reviewing Everything. Start Reviewing What Matters.
OxMaint's exception dashboard flags overdue PMs, unsigned work orders, post-closure edits, repeat failures, and pending QA approvals — so your QA team spends their review time on records that need attention, not on records that confirm everything is normal.
