Validate Excel spreadsheets in GxP environments
In this article, we outline the steps to follow to validate Excel spreadsheets and overcome the weakness of spreadsheets for GxP compliance
Recently, our colleague Mayte Garrote Gallego, CTO in Oqotech, contributed with the magazine FarmaEspaña Industrial with an article about why and how to validate Excel spreadsheets in GxP environments that we share and extract below.
Validate Excel spreadsheets in GxP environments
The validation applies to all forms of computerized systems used as part of the activities regulated by the GxP. Therefore, if spreadsheets are used to manage regulated information, operation and security must be ensured according to the intended use determined through a validation project.
The validation should cover the entire life cycle of the computerized system considering the patient’s safety, the integrity of the data and the quality of the product.
That, understanding as life cycle all the phases of the life of a system, from the initial requirements to its withdrawal, including design, specifications, programming, testing, installation, operation, and maintenance.
It must be carried out by a multidisciplinary validation team that can provide the knowledge and experience from a management point of view of the regulated process, quality assurance and IT (management and infrastructure).
Spreadsheet validation project
The following describes all the steps to follow in a spreadsheet validation project.
Identification of spreadsheet to validate
- Inventory of Excel sheets used in the management of the process of development, study, manufacture and/or distribution of the product.
- Risk analysis. From the point of view of intervention in the process, affecting the quality of the product or the integrity of the data on the traceability of the product.
- Classification of Excel sheets according to the data management they provide.
The expected use of Excel at the functional level should be clearly defined, contemplating the process of data entry, information processing and results to be generated. And put in a report the user requirements and requirements for each of the regulated Excel:
Requisitos de integridad de datos:
Data integrity requirements:
- Security options: access keys (with username and password) and access record
- Protection of cells to prevent their modification: calculation cells, titles that inform about the meaning of the data, etc.
- Configuration of editing permissions by user. At the user, document and cell level. That is controlling which cells per document and book are going to be able to edit in a controlled way each one of the users.
- Audit trail for regulated cells.
- Record of control of registration, modification, and deregistration of the regulated cells, specifying: user of the action, date and time, document, sheet and cell modified, new value, old value and reason for the change.
- The field blocking option, which once entered, should not be modified.
Administration requirements IT is required as standard:
- Security of the Excel storage directory.
- Change control for updating versions of Excel.
- Qualification of the installation, IQ. Existence of installation procedures and registration of the version code.
- Standard Operating Procedures, SOP. Existence of procedure for using Excel.
- Design qualification, DQ. Check that the functional requirements and data integrity are met.
- Qualification of the operation, OQ. Verify the functional and data integrity requirements.
- Process Qualification, PQ. Review of user control, security, protocols, and traceability.
Acceptance and release report
Report that collects the following project data, validated by Excel:
- Summary of results: link to documents of results and information to be highlighted (deviations and change controls).
- Final opinion.
- Maintenance plan for validation status.
Maintaining the control status
In order to keep the environment validated permanently, it is necessary to determine the procedures that will be implemented in the organization:
- Procedures that reflect the activities to be carried out, time of execution and periodicity, scheduled revisions, as well as determining the responsibilities parties.
- Security: keep the correct configuration of access granted to users who will use Excel
- Change control: modifications in the Excel content (calculations, links, etc.), as well as in the versioning of the same. Changes must be registered, their impact assessed (ensuring their correct future functioning and data integrity of historical information) and executed in the evaluation is positive.
- Restrict access, both physical and logical, to the critical parts of the IT infrastructure. Only responsible and qualified personnel can have access.
- Implement a backup strategy and restore data according to the criticality of the information managed.
The weakness of spreadsheets for GxP compliance
A la hora de validar hojas de cálculo Excel en entornos GxP, se suelen encontrar las siguientes carencias:
- Control de acceso, únicamente a usuarios autorizados. Gestión de usuarios: por ID y clave. Gestión de permisos: lectura, escritura, definición de rangos y firmas. Registro de acceso.
- Control de rangos críticos del Excel: bloqueo de celdas con cálculos, control de rangos (conjuntos de celdas) de introducción de datos, control de rangos de firmas electrónicas, diferenciando los roles de generador, revisor (opcional) y aprobador.
- Audit trail: registro de cambios en la gestión de la información del Excel y de su parametrización de seguridad.
To mitigate these shortcomings from Oqotech we propose the use of Oqosafe, a tool for the security of spreadsheets that provides functionalities to the spreadsheets so that they comply with the requirements of the control organisms, including the FDA or GxP, such as:
- Definition of rights of access to excel sheets customizable by the user.
- Definition of permissions of writing and reading by sheet and cell of excel customizable by the user.
- Track all data changes with Audit Trails in real-time.
- Management of electronic signatures for the blocking of excel information. The signatures have an approval flow (with the figures of the generator, reviewer, and approver).
- User administration tool, passwords, and securities.
Below, you can download and read the full article by Mayte Garrote in FarmaEspaña Industrial.