Strong increase in findings in Computer System Validation ( CSV) audits:
When the phone rang for the first time in early December, we thought it was the usual monthly request for support because yet another medical device company had failed an FDA or notified body audit due to Computer System Validation (CSV).
When I received my sixth inquiry on this topic in week 2 within four weeks (including the Christmas holidays), I was quite astonished. The question arises: “Have the notified bodies in medical technology tightened the reins like this?” This has been the case in the pharmaceutical and clinical trials sectors for some time. To cut a long story short – I can’t prove it conclusively, but what I’ve learned confirms my impression from the last two years. For notified bodies, the topic of CSV is no longer just a marginal issue; it has become a focus of audits. The same has been the case with the FDA for about five years now, by the way! There, documentation/CSV topics have been among the top three audit observations for the last two years.
The notified bodies seem to be following suit, at least in the cases mentioned here involving TÜV Süd, MDC, and TÜV Rheinland. To my knowledge, there are no official audit statistics kept by notified bodies or European government agencies, so I can’t verify my impression more precisely. But my experiences, as mentioned above, suggest the following:
Notified bodies are increasingly focusing on computer system validation in the medical technology sector. There appear to be three areas of interest:
- Missing or insufficient validation of ERP systems
- Missing or insufficient validation of Excel tables (in production and quality management)
- and general information about CSV
The reason for this is certainly the fact that ISO 13485:2016 (unlike its predecessor) requires auditors to have specific knowledge of software and CSV. Furthermore, the generational change among auditors over the past five years has contributed to the fact that weaknesses in the CSV field are now being uncovered among medical technology manufacturers.
If you’re thinking that this is just another blog in which a consultant advertises his area of expertise and tries to generate business, then I have to disappoint you.
We are fully booked for CSV consulting for the very long term and cannot currently handle any requests. However, I would advise you to be careful and prepared. Be prepared for the upcoming audit to ask specific questions about computer system validation. It is no longer enough to simply have a folder labeled
Having a „validation“ and hoping that the auditor won’t look into it anyway (2nd call). Equally problematic is having a retrograde validation and hoping that you don’t have to validate a newly introduced ERP version „correctly“ (validation based on empirical values is then out of the question, because you’ve already used the joker) (4th call). Hoping that you can just ignore all the Excel spreadsheets in production is also no longer successful (3rd and 5th calls).
Even with targeted questions about a software inventory (1st call) or a risk assessment of the software solutions used (6th call), auditors „hit the mark,“ especially when a medical technology manufacturer does not have either.
The most important thing to remember is that you should not panic and always make sure that you buy validated software systems. Validating an Excel spreadsheet or creating a validation master plan incurs considerable but manageable costs. However, if, out of panic or ignorance, you choose a „validable“ or
If you use a „validable“ or „easy-to-validate“ system in a quality-relevant area, it becomes very expensive. Customers quote costs for such validations can easily reach €50,000 or more.
