Different MES at each site. Different SOP interpretations. Different deviation thresholds. One inspector who just came from your other facility. The multi-site quality trap isn't a governance problem — it's a visibility problem.
An FDA investigator finishes a two-week inspection at your Hyderabad facility. They documented three 483 observations: two related to deviation investigation depth, one about cleaning validation hold times. Six weeks later, a different investigator begins an inspection at your Pithampur site. They open the same FDA database. They see the Hyderabad findings. They now know exactly what to look for — and they expect your quality system to have caught and propagated whatever corrective actions came out of the first inspection.
At Pithampur, they find that deviation investigations follow a different template. The threshold for what constitutes a “critical” versus “major” deviation is different. The cleaning validation protocol was written by a different team using different acceptance criteria. The investigator writes a 483 observation that includes a sentence pharma companies dread: “These repeated failures at multiple sites demonstrate that your management’s oversight and control over the manufacture of drugs is inadequate.”
That sentence appeared in FDA’s July 2025 warning letter to Glenmark Pharmaceuticals — the third warning letter to a Glenmark facility in six years. Three of five factories producing drugs for the US market had received warning letters since 2019, each citing variations of the same systemic failures: inadequate investigations, insufficient root cause analysis, poor CAPA effectiveness. The warning letter explicitly referenced the pattern across sites.
This is the multi-site quality trap. And if you run quality operations across more than a handful of facilities, some version of it is happening inside your company right now.
FDA doesn’t inspect sites in isolation. Their internal databases — and since June 2025, their AI system “Elsa” — cross-reference findings across your entire facility network. The question is whether your own quality system can see what the regulator already sees.
The ISPE Quality Metrics Pilot Program — conducted with McKinsey across 28 companies and 83 sites — found that most companies collect quality metric data at the site level, and “there are often different definitions or variations in interpretations of a definition between sites in the same company.” Even basic terms like “lot,” “deviation,” “complaint,” and “review” had site-specific meanings. The pilot concluded that harmonising definitions across an enterprise was a “significant burden” — and that was just the measurement problem, before anyone tried to harmonise the actual practices.
Consider what varies across sites in a typical multi-site pharma manufacturer:
Deviation classification thresholds. One site classifies a 2°C temperature excursion as minor. Another classifies the same excursion as major. Both are following their local SOPs. Neither is wrong. But when FDA reviews deviation rates across your network, the site with the lower threshold appears to have fewer quality events — which raises questions about whether they are detecting problems or ignoring them.
Investigation depth. At Bristol Myers Squibb’s Devens facility, FDA found 337 manufacturing deviations in six months classified as “no impact” — with zero root cause investigations. At a company with 30 sites, investigation rigour varies not because of policy, but because of local culture, staffing levels, and how much pressure the site director puts on cycle times.
SOP interpretation. A master SOP says “investigate root cause using appropriate tools.” Site A interprets this as a fishbone diagram. Site B uses 5-Whys. Site C does both. Site D does neither and writes “operator error” because the SOP doesn’t mandate a specific methodology.
System fragmentation. Different MES platforms, different LIMS configurations, different document management systems. Data structures don’t align. Batch record formats differ. Even when the same vendor’s MES is deployed, local configuration decisions made during validation create site-specific workflows that diverge over time.
McKinsey estimates that 25–30% of pharmaceutical manufacturing costs relate to quality. At multi-site operations, a meaningful share of that cost is duplicated effort: each site independently validating processes, independently investigating deviations with shared root causes, independently developing CAPAs for problems that other sites have already solved.
83
ISPE's quality metrics pilot with McKinsey found that even basic quality terms had different definitions between sites in the same company.
25–30%
McKinsey estimates quality-related activities consume a quarter to a third of pharma manufacturing costs — much of it duplicated at multi-site operations.
24%
BioPhorum found nearly 1 in 4 deviations are repeats of previous events — a number that compounds when sites can't see each other's investigation history.
FDA’s inspection apparatus has evolved significantly in the past two years. The agency reorganised its Office of Regulatory Affairs into the Office of Inspections and Investigations (OII) in October 2024, streamlining the path from inspection finding to warning letter. The result: warning letter issuance time dropped by approximately one-third.
More consequentially, FDA launched Project Elsa in June 2025 — an internal AI system that cross-references adverse event reports, compliance data, 483 observations, and historical inspection outcomes across facilities. Elsa can scan batch records from multiple sites, correlate out-of-spec trends with complaint patterns, and flag facilities where signals converge. It runs in AWS GovCloud and is designed specifically to identify high-priority inspection targets.
The practical implication: when an investigator walks into your facility, they may already know what was found at your other sites. They know your company’s 483 history. They know which CFR sections were cited. They can see patterns that your own quality organisation may not be tracking — because your quality data lives in site-level silos.
The Glenmark case makes this concrete. Warning letters were issued to the Himachal Pradesh facility (2019), the Goa facility (2022), and the Pithampur facility (2025). Each cited failures in OOS investigation, root cause analysis, and CAPA effectiveness. The 2025 letter explicitly stated that “repeated failures at multiple sites demonstrate that management’s oversight and control over the manufacture of drugs is inadequate.” The consequence: more than 50 million potassium chloride capsules recalled, eight patient deaths reported to FDA, and a company-wide remediation mandate.
Cipla experienced a similar pattern. Warning letters to the Goa facility (2020) and the Pithampur facility (2023) cited overlapping failures in contamination control, complaint handling, and management oversight. The 2023 letter noted that “similar CGMP violations” had been cited at other Cipla facilities — the same cross-referencing language that signals FDA views quality failures as a network-level problem, not a site-level problem.
FDA’s language in multi-site warning letters is specific and deliberate: “These repeated failures at multiple sites demonstrate that your management’s oversight and control over the manufacture of drugs is inadequate.” This is not a finding about a facility. It is a finding about a company.
Most multi-site quality organisations establish a central quality council or governance committee. These groups meet quarterly, review aggregated metrics, and issue directives. But their inputs are site-submitted summaries — not raw, real-time quality data. A site that classifies 40% of deviations as 'minor' and closes them in 5 days looks efficient on a dashboard. Whether those classifications are appropriate requires access to the underlying investigation files, which governance committees rarely have. The committee governs the reports. It cannot govern the reality behind the reports.
Issuing a master SOP from corporate headquarters is straightforward. Ensuring 30 sites interpret and execute it identically is not. A master deviation investigation SOP that says 'use an appropriate root cause analysis tool' will be implemented differently at every site. The SOP is standardised. The practice is not. And because execution data lives in site-level systems, corporate quality has no visibility into the gap between the written procedure and the actual workflow.
A corporate quality dashboard might show that Site A has a 15-day average deviation closure time and Site B has a 32-day average. This tells you there is a difference. It does not tell you why. Is Site A faster because its investigators are more efficient, or because they're classifying complex deviations as minor and closing them without adequate investigation? Is Site B slower because they're more thorough, or because they're under-resourced? Without the ability to drill from the aggregate number into the investigation context — across systems that don't share data — the dashboard creates confidence without providing insight.
You can train every investigator across 30 sites on the same root cause analysis methodology. Six months later, under deadline pressure and with site-specific quality cultures, investigators revert to local norms. Training addresses competency. It does not address the structural incentives — cycle time targets, headcount constraints, local management priorities — that drive divergent practices. And without cross-site visibility into how investigations are actually being conducted, you cannot detect the drift.
The pattern is consistent across every multi-site harmonisation effort. A company launches an initiative — often after a regulatory action — appoints a global quality lead, forms a steering committee, and begins writing master documents. Twelve to eighteen months later, the master SOPs exist. The governance structure is in place. The dashboards are built. And the sites are still operating differently, because none of these interventions address the fundamental problem: nobody can see what’s actually happening across the network in real time.
The ISPE–McKinsey pilot programme demonstrated this quantitatively. When researchers worked site-by-site with the 83 participating facilities, they found that getting companies to report against harmonised metric definitions required intensive, manual effort at each location. The definitions were agreed. The data collection was not. Every site had built its quality system to serve its own operational needs, and those systems did not produce data in a format that could be compared across sites without manual translation.
This is the structural trap. You cannot harmonise what you cannot see. And you cannot see across sites when each site’s quality data is locked inside systems that were never designed to talk to each other.
Every harmonisation initiative starts from the same assumption: if we standardise the rules, the sites will converge. The evidence from ISPE’s pilot programme, from FDA enforcement patterns, and from the experience of every CQO who has attempted enterprise-wide quality harmonisation says otherwise. Rules don’t harmonise systems. Visibility does.
What multi-site pharma manufacturers lack is not a better SOP or a better dashboard. They lack a shared intelligence layer — a connected representation of quality state across all facilities that makes cross-site patterns visible in real time.
This layer would need to do several things that no current combination of QMS, MES, and BI tools can deliver:
Normalise quality events across heterogeneous systems. A deviation recorded in SAP MES at Site A and a deviation recorded in a different MES at Site B need to be representable in a common structure — not just at the summary level, but at the investigation level. What was the deviation type? What was the root cause category? What equipment was involved? What batch, product, and process step? Without this normalisation, cross-site comparison is impossible.
Detect cross-site patterns in real time. When three sites experience temperature excursions in the same process step within the same month, that’s not three independent events. It’s a signal — potentially a shared raw material issue, a shared equipment design flaw, or a shared SOP gap. Detecting these patterns requires correlating quality events across sites as they happen, not reviewing quarterly aggregations three months after the fact.
Make investigation context portable. When Site A completes a root cause investigation for a granulation temperature excursion and identifies a specific CAPA — say, adjusting jacket water flow control parameters — that investigation context should be available to Site B’s investigator when they encounter the same event. Not as a PDF in a shared drive. As structured, queryable knowledge that an investigator (or an AI agent) can access during an active investigation.
Expose inconsistency automatically. If Site A classifies a 2°C excursion as major and Site B classifies an identical excursion as minor, the intelligence layer should flag the inconsistency — not after a quarterly governance review, but immediately, while the classification decision is being made. The same applies to investigation depth, CAPA types, closure timelines, and every other quality practice that should be consistent but isn’t.
This is architecturally distinct from a data warehouse or a business intelligence layer. A data warehouse aggregates historical data for reporting. A shared intelligence layer connects live quality state across systems, normalises it into a common ontology, and enables real-time pattern detection and cross-site reasoning.
Each site investigates independently. Investigator has no visibility into whether the same event occurred elsewhere. Root cause analysis starts from zero. If a CAPA was already developed for an identical deviation at another site, no one knows. Investigation takes 29 calendar days (BioPhorum benchmark). 24% of deviations recur.
29 days average, no cross-site learning
Deviation is automatically matched against quality events across all facilities. Investigator sees that two other sites experienced the same event last quarter, with completed root cause analyses and effective CAPAs. Investigation inherits prior context. New investigation focuses on site-specific factors, not re-establishing what's already known.
Investigation time reduced by the proportion of duplicated effort — typically 40–60%
Each site prepares for inspection independently. Corporate quality compiles a binder of cross-site metrics that may not reflect current state. If FDA found issues at Site A, Site B has no systematic way to verify it addressed the same risk. The inspector knows your history better than you do.
Weeks of preparation, no real-time cross-site view
When a 483 is issued at any facility, the intelligence layer automatically identifies which other sites have the same exposure — same equipment types, same processes, same potential gaps. Remediation is propagated as a network-level action, not a site-level reaction. The company's cross-site view matches or exceeds the regulator's.
Continuous readiness, automated exposure assessment
Transferring production requires a full technology transfer package. Validation is duplicated. SOPs are rewritten for the receiving site's format. Quality expectations must be manually communicated and verified. Timelines measured in months to years.
6–18 months for a typical tech transfer
Quality context travels with the product. The receiving site can see the sending site's full quality history for the product — deviation patterns, CAPA history, CPP ranges, CQA trends. Validation focuses on site-specific differences, not re-establishing the quality baseline. Transfer timelines compress because the knowledge gap compresses.
Transfer accelerated by eliminating redundant quality discovery
The operational impact extends beyond individual workflows. When a COO can see real-time quality state across all sites, production scheduling becomes quality-aware. If Site A is experiencing an elevated deviation rate on Product X, production can be shifted to Site B — but only if you know Site B’s quality state for that product in real time. Without a shared intelligence layer, that decision requires phone calls, email chains, and weeks of data gathering. With one, it’s a query.
The regulatory impact is equally direct. When FDA issues a 483 at one site, the CQO needs to answer a question that currently takes weeks to resolve: “Do our other sites have the same exposure?” With site-level systems, this requires commissioning audits at every potentially affected facility. With a shared intelligence layer, it’s an automated assessment that runs in minutes.
Before harmonising practices, map how quality data flows at each site. Which systems capture deviations? How are they classified? What data structure does each MES use for batch records? The goal isn't a perfect inventory — it's identifying the structural gaps that prevent cross-site comparison. Most CQOs discover that what they assumed was a 'common QMS' is actually 5–10 different system configurations with incompatible data models.
Pick one quality process — deviation classification is a good starting point — and compare how it's executed across your top 5 sites. Pull actual deviation records, not summary metrics. Compare classification decisions for similar events. The delta between what sites call 'minor' versus 'major' for the same event type will quantify the harmonisation gap in a way that governance committees cannot argue with. This is the data that builds the business case.
The conventional approach is: standardise SOPs first, then measure compliance. The evidence suggests the reverse order works better. First, build visibility into what's actually happening at each site. Then use that visibility to identify which inconsistencies matter — some variation is acceptable, some creates regulatory risk. Standardise the practices that create risk. Accept the variation that doesn't. You can't make that distinction without cross-site data.
The multi-site quality trap persists because it’s structurally invisible to the organisations caught in it. Each site operates within its own system boundaries. Each site’s metrics look reasonable in isolation. The inconsistencies only become visible when an external observer — an FDA inspector, an auditor, or a system that can see across sites simultaneously — compares them.
FDA’s investment in cross-referencing tools like Project Elsa means the regulatory view of your quality network will only get sharper. The question is whether your internal view will keep pace. Companies that build a shared intelligence layer across their manufacturing network will see what the regulator sees — before the regulator arrives. Companies that don’t will keep discovering their multi-site quality gaps the same way they do today: during an inspection, in a 483 observation, in a warning letter that references failures at facilities thousands of miles apart.
The missing layer isn’t more governance. It isn’t more training. It isn’t a better dashboard. It’s the ability to see your quality state as one connected system — because that’s how your regulator already sees it.