Learn / Regulated wedge
Your logger caught the excursion. Now what?
The sensor did its job. It flagged a pallet of insulin analog reading 9.2°C for 47 minutes against a 2 to 8°C label, on the tarmac in Frankfurt before the Singapore leg. The alarm is the easy part. What happens in the next four hours, and whether it holds up in an audit, is the process nobody actually owns.
An excursion is not a data problem. Your monitoring vendor already solved the data problem: you have the graph, the time-out-of-range, the min and max. The problem is that the graph does not tell anyone what to do next, who is allowed to make the call, or how to prove the call was made correctly. That is the investigation, and it lives in the gap between the sensor and the document vault, where nobody is holding it.
The four hours that get you a finding
Here is where investigations go wrong, and it is almost never the assessment itself. It is the handoff. The alarm fires to a shared monitoring inbox at 22:40. The duty officer sees it at 23:15 and is not sure whether this lane's SOP wants a two-hour or a four-hour notification window. They call the on-call QA number, which rings out. The pallet gets loaded because the flight will not wait. By the time the excursion is formally opened as a deviation the next morning, product has moved, the reefer truck has been released, and the clean reconstruction of what happened when has already started to blur.
Nothing here was a monitoring failure. Every step was a process failure: an unclear notification trigger, an undefined escalation path, no record of who decided to load, and no single place holding the current version of the rule for this exact scenario. An assessor does not need to find a wrong disposition to write you up. They only need to find that you cannot show the same procedure was followed every time.
The decision tree, made explicit
A defensible excursion procedure is a routed decision, not a paragraph in a Word file. Walk it in order:
- Detect and classify. The reading breaches the alarm criteria for this product and this range. Is it a genuine excursion or a known artefact (a probe out of the payload during a door-open event)? The criteria that separate the two must be written, not judged fresh each time.
- Contain. Quarantine the goods, physically and in the system, so nothing ships on assumption. Status is now "hold pending disposition," visible to everyone touching the shipment.
- Notify and escalate. A defined trigger to a named role inside a defined window. If the first contact does not respond, the path to the next one is part of the procedure, not part of the duty officer's luck.
- Assemble the facts. Time-out-of-range, cumulative exposure, the product's approved stability data and any mean kinetic temperature allowance, prior excursions on this lot or lane.
- Assess. A qualified quality role compares exposure against the stability profile and reaches a disposition. This is the step that requires judgment. Everything around it should not.
- Disposition and sign off. Release, reject, or hold for further data, recorded against a person and a timestamp with the reasoning attached.
- Decide on CAPA. If this is the third excursion on the Frankfurt to Singapore lane this quarter, the deviation is closed but the real problem is not. That is a corrective action, tracked separately.
Why the two tools you already own do not cover this
The monitoring platform detects and records the temperature. It is very good at that, and it should stay. But it does not hold the escalation path, the separation of duties, or the branching logic for a dangerous goods shipment that is also excursing. The QMS stores the finished deviation record and the SOP PDF. It proves a document exists. It does not route the live investigation, does not resolve to the right steps for this scenario at 23:15, and cannot show that the version followed was the current one. The living, scenario-aware procedure that connects the alarm to the signed disposition is the layer between them, and it is the layer most operations run out of memory and a stale file.
This is the same structural gap we describe in where does your operational process actually live: the process you most need to be true at the worst moment is the one nobody can point to a home for.
What "audit-ready" actually means here
When the GDP inspector picks the Singapore excursion off your deviation log and says "walk me through it," audit-ready means you show one record: the alarm, the classification against written criteria, the timestamped notification to the named QA role, the containment status, the stability data used, the signed disposition, and the CAPA decision, in sequence, with the version of the procedure that was in force that night. Not audit-ready means someone opens SharePoint, finds three candidate SOPs, and starts explaining which one people "actually use." The first answer takes a click. The second is a finding forming in real time.
The excursion is a forced event, and forced events are where an operation's real maturity shows. It is closely related to two others worth reading: why "SOP not followed" is a design failure, not a discipline failure, and GDP inspection readiness. All three come down to the same thing: a governed, current, scenario-aware process, or a defence built from memory.
Where FLOW fits
FLOW is where that excursion procedure lives as one master process that resolves to the exact route for the situation: standard cold chain, dangerous goods, or an excursion in progress. It carries owners, versions, sign-off, and an audit trail, so the disposition is traceable to a person and the version followed is provably the current one. It does not replace your loggers and it does not replace your QMS. It owns the governed process between them, and it is readable by the agents you will eventually point at this workflow. If you want the fuller category argument, start with the process system of record. If you want to see how deep the gap runs in your own operation, the process graveyard audit takes ten minutes.
Common questions
What is a temperature excursion investigation procedure?
It is the documented process that runs from the moment a logger or monitoring system flags an out-of-range reading to the moment product is dispositioned as released, rejected, or quarantined. A defensible procedure defines the alarm criteria, who is notified, what stability and time-out-of-range data is gathered, who performs the assessment against the product's stability profile, who has authority to release or reject, and how the whole trail is recorded. GDP and CEIV Pharma expect this to exist, be followed, and be evidenced.
Who decides whether product is released or rejected after an excursion?
The disposition decision is a quality decision, not an operational one. It sits with a named quality role, typically a QA or quality manager or, for medicinal products, a responsible or qualified person, assessing the excursion against the product's approved stability data and any mean kinetic temperature allowances. Operations gathers the facts and quarantines the goods. Quality makes and signs the release or reject call. The procedure has to make that separation of duties explicit so the sign-off is traceable to a person and a timestamp.
How is a temperature excursion different from a deviation or CAPA?
An excursion is the event: a reading outside the labelled range. A deviation is the formal quality record you open to investigate that event and decide disposition. A CAPA is what you raise if the investigation finds a systemic cause worth correcting, for example a lane, a packaging spec, or a handover that keeps failing. One excursion can produce one deviation and, if the root cause is recurring, one CAPA. Confusing the three is itself a common audit finding.
Does GDP require a documented excursion decision tree?
GDP requires that temperature excursions and deviations are documented, investigated, and managed, and that decisions are made by authorised people against defined criteria. It does not mandate a specific diagram. In practice a clear decision tree or routed procedure is the easiest way to prove to an inspector that the same criteria are applied every time rather than being decided from memory, which is where inconsistent, undocumented calls turn into findings.
Make your excursion procedure provable, not remembered.
Bring one cold chain SOP to a 30-minute pilot session. Leave with the excursion route living in FLOW: scenario-aware, owned, and ready to answer the assessor in one click.
Book a pilot →