In regulated industries such as pharmaceuticals, biotechnology, and healthcare, data integrity, accuracy, and security are paramount. As anyone involved in using systems that may impact patient safety will attest, those attributes are taken very seriously by regulatory authorities and life sciences organizations alike. In fact, a whole specialty field is dedicated to demonstrating that such systems are fit for their intended use, which includes demonstrating integrity of the data they store/treat. This professional field is referred to as Computer System Validation (CSV), recently revamped into what is now known as Quality Software Assurance (QSA).
While workbook software (Microsoft Excel, Google Sheet, LibreOffice Calc, etc.) is widely used for data analysis and its management, it is generally seen by most CSV/QSA teams as painful, if not impossible, to validate. There are good reasons for this aversion, starting with the fact that workbook software is generally plagued with inherent limitations. Limitations that are often the direct consequence of some of the benefits or advantages they provide... This means that by nature, workbooks can carry certain risks to data integrity, accuracy and security, which may compromise your ability to ensure their compliance.
Here are examples of such typical limitations:
Limited Audit Trail
Excel lacks robust audit trail capabilities, making it difficult to track changes to data, who made them, and when they occurred. In GxP environments, maintaining a comprehensive audit trail is essential for demonstrating data integrity and compliance with regulatory requirements.
Version Control Challenges
Excel files can be easily copied, modified, and distributed, leading to version control issues. Ensuring that the correct and most current version of a spreadsheet is being used can be challenging, particularly in collaborative environments where multiple users may have access to the file. Furthermore, the software version itself can be difficult to control. When we think that there are older versions that can be easily hacked, making this whole challenge even worse.
Data Security Risks
Excel files are prone to security vulnerabilities, such as unauthorized access, data manipulation, and accidental deletion. In GxP environments, where sensitive and confidential data is often involved, ensuring data security and confidentiality is critical to compliance.
Formula Errors
Excel formulas can be complex and prone to errors, especially in large spreadsheets with multiple calculations. Even a small formula error can have significant consequences in GxP contexts, leading to inaccurate data analysis and decision-making. If formulas are not protected, they can also be inadvertently tampered with. Even when we understand the importance of validating such formulas, they may be very hard to adequately test.
Limited Data Validation
While Excel provides some data validation features, they may not be robust enough to ensure data integrity in GxP environments. Without proper validation checks, there is a higher risk of data entry errors, inconsistencies, and inaccuracies.
Difficulty in Data Extraction and Reporting
Extracting data from Excel files for reporting and analysis purposes can be time-consuming and error-prone, especially when dealing with large datasets or complex calculations. In GxP environments, where timely and accurate reporting is essential for compliance, relying on Excel for data extraction can pose challenges.
Lack of Centralized Data Management
Excel files are often stored locally on individual computers or shared network drives, making it difficult to establish centralized data management practices. In GxP environments, centralized data storage and management are crucial for ensuring data consistency, accessibility, and security.
Difficulty in Maintaining Data Integrity
Excel files are susceptible to data integrity issues, such as accidental data entry errors, formatting inconsistencies, and unauthorized changes. Ensuring data integrity in Excel requires implementing rigorous controls and validation procedures, which can be challenging to maintain in dynamic GxP environments. Even when workbooks have file or cell locking capabilities, it is too easy for someone to forget to password protect a file or lock a worksheet/cell to prevent modification. All this without available mechanisms to confirm whether it was done.
Complexity of Compliance Documentation
Achieving and demonstrating compliance with regulatory requirements in GxP environments involves extensive documentation, including validation documentation, standard operating procedures (SOPs), and audit trails. Managing compliance documentation in Excel can be cumbersome and prone to errors, particularly when multiple versions of documents are in use.
Risk of Data Loss or Corruption
Excel files are vulnerable to data loss or corruption due to factors such as software crashes, file corruption, or hardware failures. In GxP environments, where data integrity and availability are critical for regulatory compliance, relying on Excel as the primary data storage and management tool poses significant risks.
In summary
While Excel is a versatile tool for data analysis and management in many contexts, its limitations and inherent risks make it unsuitable for ensuring compliance with GxP requirements without significant additional controls and validation efforts. GxP-regulated industries typically rely on validated electronic systems specifically designed to meet regulatory standards for data integrity, security, and compliance, as its limitations and risks make it unsuitable for GxP compliance without extensive controls and validation processes in place.
Even though using Excel for GxP use should be avoided, it may not aways be realistic to do so. In our next blog, we will define a strategy around validating Excel files and present some alternatives to mitigate the limitations and risks associated with using this ubiquitous product.