Using Spreadsheets in GxP Environments 101 - Best Practices and Recommendations

Microsoft Excel is a powerful application that can be used for many purposes throughout many business sectors. In an earlier post, we advised avoiding using Excel (and other spreadsheet applications) in a GxP context, especially when used to manage GxP activities and data records. Unfortunately, this is supported by the fact that our industry has seen a lot of spreadsheet solution misuses over the past 25 years. However, we must stay practical and recognize that spreadsheet solutions are sometimes the best available option to support specific GxP activities. What should we do then?

The truth is that spreadsheets can be used for GxP if the context is well defined, the process is well controlled, and the solution is secured. If you must take this route, the following guide should shine some light on how to use spreadsheet software in GxP environments.

Before you start: Speaking a common language

Spreadsheet validation is not well understood in the GxP space. At an organizational level, it is imperative that members of various departments (e.g., Information Technology, Quality Assurance, and Validation), all have a thorough comprehension about using spreadsheets for GxP purposes. Each department will have their own issues:

• Information Technology: Why do we have to validate a spreadsheet? How does this affect how IT deploys and manages software packages? Do we need to audit a vendor such as Microsoft?

• Quality Assurance: How can we detect non-compliance? What regulations do we need to adhere to?

• Validation: What validation activities do I need to perform and what validation deliverables do I need to generate?

Simply put, a spreadsheet can be used to manage a GxP activity or be used to record and process GxP data. Each spreadsheet (or collection of spreadsheets) can be regarded as a computerized system, to be used for an intended purpose, often to replace or enhance a traditional paper-based process.

4 critical activities when using GxP spreadsheets

What do you want the spreadsheet to do? What is its primary function? Does it manage confidential patient data for a clinical trial? Is it identifying training gaps in the organization from a compliance perspective? Is it a controlled template for a procedure, part of a company’s quality management system?

You need to be able to clearly specify the use of the spreadsheet, plan how people will interact with it, and define how this system integrates with your existing organizational structure. What you don’t want is a small faction within the organization to use a spreadsheet in an unsanctioned manner when its use is not clear or even worse, perform a duplicate activity that another system can already perform.

The use of a spreadsheet should arise from a legitimate need to manage a GxP process that no current/existing software can. Using spreadsheets is an attractive proposition because they are usually highly available and easy to use. This presents a potential non-compliance risk to companies operating in a highly regulated industry.

Systems are generally categorized to group them based on risk, complexity, and/or type, to facilitate the validation and testing process. Spreadsheets are no different. Some common examples of using spreadsheets to support regulated activities include:

a. Processing data from laboratory instruments.

b. Identifying training gaps based on training requirements.

c. Using controlled forms for data collection.

If you use system categorization to group computerized systems, then be prepared to classify a spreadsheet based on risk or complexity. Using the predefined ISPE GAMP®5 categories for software should be a good place to start for most organizations, but others may find solace in using their own classification system.

Pro-Tip: Avoid using the term “COTS” to classify your spreadsheets, as this term has been greatly misused in the Life Science industry to mean “trusted software/vendor” and “less burden for validation”. A general rule of thumb – if it has basic numerical formulae or calculations of any kind, it can be considered a GAMP®5 Category 3 system. If it has macros or is used as a database, it’s most likely a Category 5. The classification categories must be defined for the organization and most importantly, it must be applied in a consistent fashion.

Consider the spreadsheet to be a living system. As with any other system, proper installation and configuration will allow for proper use.

Configuration settings and parameters can sometimes be daunting and confusing. As a seasoned system administrator, I can provide the following suggestions: Limit end-users options and use the “mouse maze” strategy. Limiting end-user options will ensure that the system is being used appropriately. Clamping down settings related to GxP data will ensure compliance throughout the system lifecycle. The mouse-maze strategy can be described as directing the end-user forward as they operate a system, towards the intended outcome or result.

No matter the configuration strategy you decide to follow, you should also pay attention to the following:

1. Edition and versioning control of the spreadsheet application

2. Versioning control of the spreadsheet file (templates and working files)

3. Security and user account permissions:

   1. Password protection of master templates and final records, to prevent unauthorized access and/or modification.

   2. Data visibility, filtering, and integrity, to prevent unauthorized access to information and prevent testing into compliance issues from occurring.

4. Installation, configuration, and change management:

   1. Correct installation and configuration must be verified, just like any GxP system.

   2. Changes must be implemented in a controlled and methodical manner to ensure that the system remains in a compliant and validated state.

5. Management of editable and non-editable content: All fields need to be accounted for and managed. Think about static and dynamic information, system and user-entered data.

6. Data validation and error handling: Should facilitate the spreadsheet’s use and notify the user if something is wrong without directing where the data should lead. For complex systems, it may be necessary to alert a system administrator for critical errors. Most spreadsheets don’t have auditing/logging capabilities, and this should be taken into consideration during the system design phase.

7. Saving, Reporting, and Printing: When the scope of the system is being defined, be very careful where data is being saved, how it is being used, and what is the final state of the data. Working files, documents, and records, all need to be properly mapped and identified for the process in question. Be mindful of types of records and their native format, and their respected retention periods.

Systems are validated because we want to be in control when we operate them in a GxP environment. We must be able to demonstrate that a given system can be used for its intended purpose. Because we are knowledgeable about a system, and because we maintain a good relationship with its vendor, such a system should cost less to operate. Point to consider:

1. Understand your data risks: How can system data be compromised? Is data integrity intact throughout the entire process? This exercise must be performed at the organizational level. Once the concept of data integrity is well understood, practical measures need to be put in place to identify, contain and correct data integrity issues for each GxP system. Lessons learned from validation projects/studies and improvements identified for a single system should be systematically applied to other systems, where applicable.

2. Perform adequate verification testing: Many issues are encountered in this step. Ensure that the spreadsheet is actually tested based on real-world behaviour and use, and unfortunately, misuse. If you have adopted matured validation processes and activities, make sure that you test a spreadsheet like any other computerized system.

It’s validated, I am done!  Not really…

Just like any other systems, once you have validated a spreadsheet solution for GxP use, you need to subject it to your change control process.  Applying a change control process to your validated spreadsheets will ensure that changes are made systematically, documented properly, and assessed for their impact on integrity and compliance. This will help you maintain the reliability, quality, and regulatory compliance you have worked hard to archived in the first place, while also supporting operational efficiency and continuous improvement.

To sum things up

If you can avoid using spreadsheet solutions in a GxP context, do so, but if you must, start by establishing a common language to streamline the work required to validate them for GxP use, and then follow these 4 steps:

1. Define the use and purpose of the spreadsheet early on.

2. Categorize the spreadsheet based on other spreadsheets or GxP systems.

3. Configure the spreadsheet to facilitate its proper use.

4. Validate the spreadsheet as you would any other system.

After spending significant effort ensuring your spreadsheets were validated when needed, don’t just forget about them!  Be sure to keep them under control like any other GxP systems by subjecting them to your change control process.

At InnovX Solutions, we can help with your validation projects, or examine and assess your current systems to meet your compliance goals.