‘Have you heard of CSV?’ part 5. Audits in CSV.

A life sciences company manufactures and sells pharmaceutical products. Ultimate concerns of the GxP-regulated business are: patient safety, product quality and data integrity. In order to successfully meet these concerns, the organization is frequently audited by regulatory authorities, while concurrently the company itself performs audits of its suppliers and other partners as needed. As a continuation to the CSV blog series, we examine here the importance of audits specifically in the area of Computer System Validation (CSV).

  • What is an audit and what is its purpose?
  • Why are CSV audits important?
  • What are the CSV topics that life sciences companies ought to consider?
  • What are the benefits of audits in CSV?

References [1], [2], [3], [4] may help the reader catch-up on earlier concepts and related terminology.
What is an audit and what is its purpose?

Let’s first start with the basics. According to ISO 19011, an audit is “an evidence gathering process” [Ref.5]. It is a systematic, objective and documented process for obtaining evidence and evaluating this evidence to determine whether they meet pre-determined criteria. In addition to the audit-related definitions listed in Ref.5, further sources for guidance on CSV-related audits are mentioned in the GAMP 5 guideline [Ref.6] and in the ASQ Auditing Handbook [Ref.7]. The EU Annex 11 [Ref.8] and the PIC/S guide [Ref.9] also provide very useful directions for auditing. Below are some key points:

  • The purpose of audits in CSV is to ensure that regulated companies and their computerized system suppliers fulfil pre-determined requirements, or in other words that they conform/meet/comply with these set requirements. This task has two sides; the organization (a) prepares to be audited and (b) the organization performs an audit.
    • An organization needs to be prepared for audits performed by the authorities or other parties (eg. for cause audit). An organization can have its own internal audit group with an established audit program, managed by the appropriate personnel that regularly and periodically assesses the organization’s compliance with regulations and prepares the organization to answer auditor’s questions (eg. sit in an audit). These types of audits are called ‘first party audits’ and are internal audits.
    • An organization performs audits in order to provide a high degree of confidence that the supplier of a computerized system, or the computerized system itself will meet regulatory and business requirements (once the supplier audit is completed, validation later will test/verify all the requirements). These are called ‘second party audits’ and are external audits. This topic was described in the Supplier Assessment-outsourcing [Ref.4, Fig.4]. Audits that are performed by independent organizations or certification bodies are also external audits, but are called 3rd party audits.
  • The principles of auditing and of auditors should be integrity, fair presentation, due professional care, confidentiality, independence and evidence-based approach. Last but not least, the audits must be performed by a competent group or person, for example the Quality Unit of the regulated organization, the Quality department of the Supplier or a well-trained/certified individual. Several audit methods exist; on-site audits, postal audits (Questionnaire), joint and shared audits, corporate audits, supplier assessments. These are described in detail in [Ref.5, Appendix M2] and in [Ref.6, Table B.1 in Annex B].
  • The general steps in an audit are the following: An audit starts with a risk-based decision on the most appropriate type of audit/assessment (eg. internal, external, etc.). Once this has been decided, the audit is initiated and the following activities take place during the audit: Opening meeting, document review, evaluation (collect & verify info), generation of audit findings, conclusion and closing meeting. Preparation and distribution of the audit report completes the audit and is submitted to the auditee. If there are any corrective actions to be remediated, an audit follow-up could take place (eg. to accept or reject a supplier of a computerized system, to issue an observation or hand out a warning letter).
  • As in the case of audits in the lifecycle of a pharmaceutical product (i.e. development, clinical, supply chain, manufacturing, quality control), CSV audits are performed during the entire CSV lifecycle (concept, project, operation, retirement). See Ref.2, Fig.1.

CSV-related audits occur often in the manufacturing operations of the regulated company to check the integrity of quality management systems, to assess change control, CAPA records and document & procedures management. CSV audits also evaluate the computerized system inventory, as well as computerized systems validation and related processes. CSV audits are also used to assess supplier conformity to pre-determined criteria, as mentioned earlier.

Why are CSV audits important?

CSV audits are important because they tend to evaluate the compliance status of computerized systems used by life sciences companies. The United States and the European Union are leading the way in the creation of regulations applicable to computerized systems. The most widely followed regulations come from the United States Food and Drug Administration (FDA). Other countries/regions in the world seem to have embraced this leadership and either follow the FDA regulations, or create their own, based on the FDA’s guidance (eg. European Union, Japan) – [Ref.10].

The manufacturing of pharmaceutical products must comply with regulations, otherwise warnings of non-compliance may be issued by the authorities to non-compliant companies. There is plenty of information available describing situations where pharmaceutical companies have failed to comply with current Good Manufacturing Practices (cGMP) regulations. As a result of repeated incidents of non-compliance, legal enforcement action by the regulators can be the next step. The consequence of these deficiencies for the organization could be that patients can potentially be harmed; the ‘non-compliant’ companies may be forced to pay a lot of money in fines or shut down manufacturing facilities, products may have to be recalled, thus resulting in the company’s reputation being severely damaged.

While most of the cGMP deficiencies that have been identified by the regulatory auditors (eg. FDA) involve some sort of product contamination or non-compliance of production facilities to regulations, some of them are actually related to the CSV process. More specifically, these deficiencies are attributed to the failure of computerized systems to comply with regulations on validation of computerized systems and on the integrity, security and confidentiality of electronic records. [Ref. 11,12,13]. Failure to promptly correct these deficiencies could result in regulatory action, which may include license suspensions, revocations, or injunctions.


Fig. 1. Examples of CSV-related deficiencies that have been identified by regulatory inspectors.

Despite a long campaign by the FDA to promote compliance with cGMP and to ensure that pharmaceutical companies abide by applicable regulations, the number of warning letters sent by the FDA to pharmaceutical industry companies still remains high [Ref.14,15].

Specifically for CSV-related deficiencies, according to Labcompliance, “Just in 2007-2010, there have been more than 30 warning letters with deviations related to computer system validation and Part 11 compliance, some with disastrous consequences for inspected companies” [Ref.16].

FDA’s Edwin Rivera in 2007 reported that 30% of FDA inspections have identified issues with electronic records [Ref.15] and Weichel in 2004 reported that between 1997-2004 there were over 20 warning letters issued by the FDA in relation to computer system validation [Ref.17].

So, a big question mark is how prepared a life sciences company is or how prepared does it want to be when the authorities audit their CSV policies and procedures.


What are the CSV topics a life sciences company or a Computerized System (CS) supplier ought to consider in order to successfully pass, or to perform a CSV-related audit?

1. When we are discussing CSV, we can assume that electronic records (ER) and possibly electronic signatures (ES) are very likely to be applicable (unless otherwise stated). If this is the case, compliance to the CSV-ERES regulations and to CSV-related predicate rules must be assessed.

Note: In the FDA context, a ‘predicate rule’ is any requirement by the FDA list of cGMP regulations other than what is mentioned in the 21 CFR Part 11 (ERES) requirements. For example, while 21 CFR Part 11.10 lists several controls including the requirement for validating a computerized system, ‘predicate rule’ 21 CFR Part 820.70(i) also states that computerized systems shall be validated for their intended use. So, although the two regulations seem to overlap and cover basically the same concept (i.e. validation of computerized systems) the ‘predicate rule’ is usually referenced in FDA warning letters regarding CSV-related violations.

It is interesting to note here that at least for some of the CSV-related FDA warning letters, the agency seems to cite only the predicate rules, and not the 21 CFR Part 11 regulations.  Challenge/invitation for the reader: If a warning letter citing any of the 21 CFR Part 11 regulations can be found, please send a copy or a link to the author of this blog post.

  • CSV-related regulations: FDA predicate rules;
  • Non-FDA CSV-related regulations: UK MHRA; Annex 11 of the EU GMP Regulations – EMEA 2011 [Ref.7].
  • CSV-ERES regulations: FDA 21 CFR Part 11; Electronic Records; Electronic Signatures (ERES), [Ref.18].
    • FDA 21 CFR Part 211.68 [Ref.19]: Current Good Manufacturing Practice for Finished Pharmaceuticals – Automatic, mechanical and electronic equipment.
    • FDA 21 CFR Part 820 [Ref.20]:
      • §820.20 – Management Responsibility for Quality System Requirements
      • §820.22 – Quality Audit
      • §820.25 – Personnel
      • §820.40 – Document Controls
      • §820.70(i) – Automated Processes Validation of computer software and of computer software changes
      • §820.75 – Process Validation

2. Understand the ‘FDA-Readiness’ concept [Ref.21].

3. Review and use the 21 CFR Part 11 audit guidelines and checklist [Ref.22].

4. Maintain compliance to internal procedures; i.e. Operation of Quality Management System (including personnel training, CAPA handling, Supplier Management, etc.)

5. Ensure the existence of applicable Standard Operating Procedures (SOPs) – [see Ref.2, Fig.1].

6. Ensure validation documentation (user requirements, validation plans, test results, summaries) is available and accessible for audit purposes.


Fig. 2. Summary of considerations for successful CSV audits.

The FDA’s cGMPs [in Manufacture, Processing, Packing, or Holding of human and veterinary drugs] for electronic equipment are listed in the 21 CFR Part 211.68. When the United States Code (U.S.C.) 351(a)(2)(b) defines adulterated drugs and devices, it refers to the “cGMP” [Ref.24] and consequently to 21 CFR Part 211.68. 21 CFR Part 11 goes a step further by stating regulations on ERES.


What are the benefits of audits in CSV?

The benefits to a regulated organization or to a computerized system (CS) supplier resulting from a CSV audit could include the following:

  • The owner of the computerized system is prepared for an audit/inspection.
  • The CS supplier can increase the reliability and confidence of their product.
  • The regulated life sciences organization can maintain compliance with regulatory authorities (i.e. the law) and other auditing bodies.
  • Both CS supplier and regulated company can provide product that complies with pre-determined criteria
  • Both CS supplier and regulated company may increase their chances of detecting and avoiding failures, which could potentially lead to patients being harmed, product being recalled, or other unwanted outcomes such as damaged reputation and monetary fines.
  • Both CS supplier and regulated company increase their chances of staying in business.


As with the degree of effort to validate a CS discussed in Ref.2, performing an audit or preparing for an audit must also follow a reasonable, pragmatic and risk-based approach. Meeting pre-determined criteria is the core objective of an audit, which as we saw contains a dual purpose: to perform an audit as well as to prepare to be audited. It must be appreciated that the CSV-related regulations apply not only to the regulated life sciences companies, but also to the suppliers of computerized systems to the life sciences companies. Both entities need to work collaboratively, so a win-win situation is achieved. A CSV practitioner can guide the organization through the audit process, provide audit follow-up services, author and review responses to audits, ensure that all required items in an audit checklist have been covered, and engage in gap assessments and in the remediation of these gaps.

Keep reading the CSV blog series with Part 6: CSV and the Cloud

References (links)

  1. Have you heard of CSV? Do you want to learn more about it? 09 Mar 2015.
  2. Have you heard of CSV? Part2. Do you want to learn even more about it? 24 Apr 2015.
  3. Have you heard of CSV? Part 3. The risk-based approach in CSV. 17 Jun 2015.
  4. Have you heard of CSV? Part 4. Suppliers of Computerized Systems in CSV. 06 Aug 2015.
  5. ISO19011: Guidelines for auditing management systems.
  6. GAMP5: A Risk-based approach to Compliant GxP Computerized Systems. ISPE 2008.
  7. The ASQ Auditing Handbook, J.P. Russell, editor, ASQ Quality Press, 2013.
  8. EudraLex Annex 11: Computerized Systems. 2001.
  9. PIC/S Guidance PI 011-3. Good practices for computerized systems in regulated GxP environments. 25 September 2007.
  10. List of international regulations and guidance for computer system and electronic records.
  11. Kevin Martin Chair GMAP Americas 10 April 2012.
  12. 21 CFR 11 Enforcement by John Avellanet. September 2011.
  13. Dr. Ludwig Huber’s 21 CFR Part 11 tutorial.
  14. http://www.fda.gov/ICECI/EnforcementActions/WarningLetters/default.htm
  15. Examples of recent FDA Warning Letters.
  16. Labcompliance On-line Audio Seminar.
  17. Weichel, P. (2004), ‘Survey of Published FDA Warning Letters with Comment on Part 11 (21 CFR Part 11)’, Journal of Validation Technology, vol. 11, no. 1, pp. 62-66.
  18. 21 CFR Part 11: Electronic Records; Electronic Signatures.
  19. 21 CFR Part 211.68: Current Good Manufacturing Practice for Finished Pharmaceuticals – Automatic, mechanical and electronic equipment.
  20. 21 CFR Part 820: Quality System Regulation.
  21. FDA-Readiness.
  22. CFR Part 11 / Audit guidelines and checklist.
  23. FDA Warning Letter on Data Integrity. (includes link to the complete Warning Letter)
  24. United States Code (U.S.C.) 351(a)(2)(b) on defining adulterated drugs and devices

Ilias Christodoulopoulos

LinkeIn link: http://ch.linkedin.com/in/iliaschristodoulopoulos
Ilias Christodoulopoulos
‘Have you heard of CSV?’ part 5. Audits in CSV.
Article Name
‘Have you heard of CSV?’ part 5. Audits in CSV.
As a continuation to the CSV blog series, we examine here the importance of audits specifically in the area of Computer System Validation (CSV).
Publisher Name
Atos Consulting CH
Publisher Logo

One thought on “‘Have you heard of CSV?’ part 5. Audits in CSV.

  1. Pingback: ‘Have you heard of CSV?’ part 6. CSV and the Cloud. - Atos Consulting CH

Leave a Reply

Your email address will not be published. Required fields are marked *