FDAnews
www.fdanews.com/articles/77896-unvalidated-spreadsheets-are-compliance-risk

Unvalidated Spreadsheets Are Compliance Risk

May 9, 2006

The near-universal use of Microsoft Excel spreadsheets in the pharmaceutical industry constitutes a serious compliance risk for companies that fail to validate them, expert David Harrison warned at a May 3 FDAnews audio conference.

Many companies have failed to validate their spreadsheets because the process is "awkward" and involved, said Harrison, principal consultant for ABB Engineering Services. This has led the FDA to issue Form 483s and warning letters. For example, a June 8, 2000 warning letter to Medical Industrial Equipment in Exmouth, UK, cites the company for "failure to validate computer software used as part of the quality system." Excel is specifically listed in the letter as an example of the kind of database software not properly validated.

Almost every pharma company uses Excel spreadsheets for activities critical to good x practices (GxP), a catch-all term covering good laboratory practices, good manufacturing practices and good clinical practices, Harrison said. "The FDA itself uses it and struggles with the exact same problems." Some pharma companies have as many as 34,000 Excel spreadsheets, he added.

Excel spreadsheets, unlike documents prepared in Microsoft Word, are normally used to perform an activity and not just to display data, Harrison noted. To determine whether you need to validate any particular spreadsheet, you should simply ask whether the outcome or result is used to make GxP decisions. "If in doubt, validate it. If you choose not to because of the cost, at least have a document explaining why not."

There are several potential options for handling the validation challenge posed by Excel spreadsheets, Harrison said:

Remove Excel from all compliance activities. "In theory, this is a great idea, but few people do it," he said; Replace Excel with databases. "This is viable, but normally it does not work out to be a very cheap option," Harrison said. Databases developed in programs other than Excel tend to be more customized and thus require more validation. As a rule of thumb that applies to all types of software used for compliance activities, "the more customized something is, the more validation you have to do," Harrison said; Replace Excel with other applications. This is a clean solution, but the alternative applications are often not flexible enough and the migration can be complicated; Validate "native" (unmodified) Excel as best you can. The problem here is that "there is poor security and no good audit trail" in unmodified Excel, Harrison said. For example, it's very easy to hack into password-protected spreadsheets with software freely available on the internet; Modify your copy of Excel by writing your own custom Visual Basic macros or software for compliance. "This is not as easy as it looks, and you'll have to validate the macros," said Harrison; or Use third-party software for compliance. While this does require one to buy additional software, it is the option that Harrison favors.

Some companies try to work around the security problems with unmodified Excel by printing out all spreadsheets immediately and never saving them so as not to create a vulnerable electronic record. But this approach is impractical for many types of files that must be frequently updated, such as environmental monitoring spreadsheets, Harrison noted. It's more practical to turn off certain menu options and require users to work with Excel spreadsheets only from certain locations or create read-only templates. Documentation is critical. For example, if you are creating read-only templates, "you have to show that ordinary users can't modify them," said Harrison.

ABB Engineering divides spreadsheet validation into two separate processes: A "blue" path that only has to be followed once and a "red" path that needs to be done for each spreadsheet. The latter is more important, although the preparatory work done in the "blue" path can save work on the "red" path, Harrison said.

Critical steps on the "red" path include:

Reformatting the spreadsheet. "Be careful not to waste too much time on cosmetics," Harrison warned; Producing functional spreadsheet specifications. "Treat this as a living document. If the spreadsheet changes, change the functional specifications," Harrison said. At the same time, he added, "a lot of the requirements are the same for each and every spreadsheet;" Producing spreadsheet qualification protocols; and Executing spreadsheet qualification protocols.

Always make sure to document what you have done in spreadsheet validation, Harrison advised participants. Anything not documented is no better than a rumor as far as compliance is concerned. -- Martin Gidron (mailto:mgidron@fdanews.com)