Excel spreadsheets provide a familiar and convenient tool to record, store or calculate GxP data. However, these attributes also make them difficult to control.
What if these attributes can be combined with the audit trail, security, and e-signature capabilities for data integrity and 21 CFR Part 11 compliance without changing the user experience? Let’s see how.
The use of Excel spreadsheets in a GxP environment arevirtually unlimited. However, if not managed and controlled properly, spreadsheets in their native format can create several compliance issues, including:
- Lack of Security Controls: Spreadsheets often have no control over who can open, edit, or work with the spreadsheets, let alone granular controls over who can edit formulas, macros, or make changes to the cell values.
- Uncontrolled changes: As a result of a lack of security controls, users can unintentionally change the logic of the spreadsheet by changing a formula or a macro.
- Lack of audit trails: Since regular spreadsheets lack any audit trails, it’s nearly impossible to identify and detect if uncontrolled changes have been made.
- No E-Signature Capability: Since spreadsheets do not have any native signature capabilities, users have to print out the workbook and sign the paper copy for GxP purposes.
Despite these limitations, spreadsheets continue to be used in GxP environments, leading to warning letters that are issued on a regular basis. A few sample observations are listed below (edited for brevity):
- “A non-validated Excel spreadsheet was utilized to calculate assay results.”
- “You used unprotected Excel worksheets to perform calculations and statistical evaluations of production data.”
- These electronic files (spreadsheets) were not secured to prevent unauthorized changes, and have no change history.”
Although users resort to using shared passwords to overcome these deficiencies, passwords are difficult to change, and can become compromised over time. Another workaround is the hybrid approach, where the spreadsheet is printed out, all calculations re-verified and the printed hard copy then signed off. Both these approaches greatly reduce the inherent benefits and efficiencies of spreadsheets.
21 CFR Part 11 Compliance Requirements for Spreadsheets
The main pillars of 21 CFR Part 11 compliance are the use of audit trails, security, and e-signatures. Specifically, this includes:
- An automated audit trail with a timestamp, cell address, type of change, old and new values, the user id, and the user name of the person making the change.
- Logging in to a spreadsheet to identify the user for audit trail and security purposes.
- Controlling access to the file (read, write, none) or the ability to lock down formulas and macros must be in place.
- Electronic signatures that include the user id, password, and meaning of the e-signature.
Important considerations for spreadsheet design and validation include the ability to:
- Lock all cells, except those needed by the user to input data.
- Make them read-only, with password protection, so only authorized users can make alterations.
- Reject data outside acceptable conditions (e.g., non-numerical inputs).
- Manually verify and test to assess accuracy.
- Maintain a permanent record of cell formulas and document all changes using a version numbering system plus documentation.
- Revalidate on a regular basis to verify the accuracy of cell formulas to ensure data integrity.
The Solution
CIMCON’s offers an Excel plugin to address the above requirements, making a spreadsheet compliant in less than a minute with a few clicks. Once applied, the system enforces a user login to ensure that only authorized users gain access. After login, users can only carry out authorized actions, accessing only the parts of the spreadsheet to which the owner has granted them access.
All user actions are tracked in an audit trail, which is stored on a secure SQL server, so that the spreadsheet’s size does not impact usage or slowed over time. A number of visual, color coded tools are provided to view the audit trail along with a reporting tool to generate ad-hoc reports.
Collectively spreadsheet users have the similar convenience, flexibility, and ease of use, while adding in compliance.
The eInfotree Excel plugin is in use by hundreds of FDA-regulated customers, including 8 of the Top 10 life science companies. Learn more about the solution here.
About the Author
Sanjay Agrawal is the President and CEO of CIMCON Software, a pioneer in developing software products and services that help companies comply with 21 CFR Part 11. CIMCON helps companies with compliant digital transformation of their spreadsheets, documents, drawings, Access databases, lab data, and training records to reduce costs, improve operational efficiencies, and achieve data integrity. Find him on LinkedIn.