Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation


Published on

Webinar on the risks realities and rumors of spreadsheet validation

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation

  1. 1. Spreadsheet Validation Rumors, Reality, & Risks Live Webinar
  2. 2. Xybion Corporation Fast Facts Corporate Our Products Global Locations Founded in 1977 Privately Held, NMSDC Certified MBE R&D Solutions GRC/BPM Solutions Enterprise Asset and Content Management Services & Solutions NJ and PA Locations in US Quebec City, Canada Germany India Our Global Services Innovative Development & Testing COE In India Delivers Quality Testing & Development Services Internal Product Development & Support Value Proposition Lowering Total Cost of Ownership Delivering Enterprise Products, Services, and Solutions That Power Innovation & Efficiency
  3. 3. Xybion Offers Comprehensive Industry Solutions for major Enterprise Processes under one roof, lower Total Cost Of Ownerships through validated software and services implemented through a global hybrid resource model based in US. Canada and India. GRC Total Preclinical Internal Controls ECM Synchronization EAM Validation & Testing Risk Mgt Vivarium Management and Veterinary Care Quality CAPA Management ECM Migration & Consolidation IT Governance Audit Mgt Automated Migration Incident Mgt LMS PMO Research & Safety Study Management Change Control Bulk Consolidation NC Complai nt Mgt Doc Mgt Metadata Consolidation & Transformations Repository Synchronization & Replication EAM Software EAM Professional Services Validation & Verification Services EAM Custom Development Software Testing Services
  4. 4. About the speaker Harry Huss has over 25 years of experience in the pharmaceutical industry. He is currently Executive Director, Brandywine Compliance Consulting, LLC, and has held positions as Senior Director Compliance Policy & Program Support Services, Charles River Laboratories, Inc., Associate Director of Computer Validation Quality Assurance, Merck & Company, Inc., and Regulatory Compliance Manager, SmithKline Beecham, Inc. Harry has a M.S. degree in Clinical Microbiology from Thomas Jefferson University, and B.S. degrees in Biology and Medical Technology from Millersville University and Bryn Mawr respectively. He has provided a wide variety of computer validation and Part 11 presentations at professional meetings, provided computer validation training for the FDA, authored the Master Validation Plan for FDA’s National Center for Toxicological Research (NCTR), and published numerous scientific and regulatory compliance articles. Harry is a member of the Drug Information Association Validation Core Committee as well as an original and current member of the Society of Quality Assurance Computer Validation Initiatives Committee (CVIC).
  5. 5. Agenda • • • • • • Introduction Rumors Realities Risks Summary Questions & Discussion
  6. 6. Spreadsheet Validation: 3 “R’s” Risks
  7. 7. Rumors
  8. 8. Rumor #1 • The FDA has indicated that commercially available spreadsheets cannot be adequately validated, and therefore should not be used to support regulated activities. • The FDA has not indicated that spreadsheets, or any other category of computerized systems, should be excluded from supporting regulated activities.
  9. 9. Rumor #2 • The FDA has indicated that due to the widespread use of commercial spreadsheets these applications are deemed to be accurate and reliable, and therefore do not require any further validation by the end user. • The FDA has not exempted spreadsheets, or any other category of computerized system, from compliance with applicable regulations, when these systems are used to support regulated activities.
  10. 10. Rumor #3 • The FDA has indicated that an end user of spreadsheet systems can employ the “calculator rule” to avoid validation, conducting verification of spreadsheet arithmetic calculations using a handheld calculator.
  11. 11. Rumor #3 (cont.) • The FDA does not have a “calculator rule”, exempting spreadsheet validation compliance requirements. • A handheld calculator could be used as part of the spreadsheet validation process, to verify the accuracy of spreadsheet calculations • Required validation controls and testing are broader than only arithmetic accuracy. • system security, audit trail function, data input/output, e-records and e-archival criteria, administrative controls, configuration management controls, etc.
  12. 12. Rumor #4 • The FDA has indicated that a company can avoid validation of spreadsheet systems by documenting a risk assessment which states that due to the widespread use of spreadsheet systems, the risk to regulated data created by, or entered into, these spreadsheets is low, and therefore validation of current and future uses of spreadsheet systems will not be required.
  13. 13. Rumor #4 (cont.) • FDA has stated repeatedly that risk assessment is not an alternative to compliance. • FDA has indicated that computerized systems must be validated for their intended use. • Risk assessment can be employed to determine: • relative criticality of a system • level of testing needed for individual requirements • level of mitigation/remediation necessary for potential test script failures • BUT, applicable regulatory requirements remain as requirements.
  14. 14. Reality
  15. 15. Reality • FDA 483 and Warning Letter citations for spreadsheets are more numerous than other categories of computerized systems. There are probably 3 reasons that findings related to spreadsheets are more common: • Large number of spreadsheets • Lack of management support for spreadsheet validation • FDA investigators and QA auditors know that spreadsheet systems are often not well controlled (validated), and the spreadsheet applications often have design deficiencies related to requirements for security and audit trails.
  16. 16. “Basic” Reality • FDA and other international regulatory agencies have requirements for validation of computerized systems used to support regulated activities. • Validation of computerized systems is commonly defined as, documented evidence which provides a high degree of assurance that a computerized system will operate accurately and reliably to its predefined specifications (requirements) and quality attributes. • A spreadsheet application running on a desktop or laptop computer is a computerized system. • A spreadsheet used to support regulated activities must be validated for its intended use.
  17. 17. “Harsh” Reality • As with most obligate regulatory requirements, there are no real shortcuts • There are no hidden industry secrets that allow avoidance of compliance • There is no risk assessment approach which trumps regulations • During a regulatory inspection, either a spreadsheet system will have documentation which provides adequate assurance of system accuracy, reliability, and compliance with applicable regulatory “quality attributes” (audit trail, security, etc.)….or adequate documentation will not be available.
  18. 18. Reality Efficiencies • Have a defined process for computerized system validation (including spreadsheets). Nothing saves as much money in the area of validation as having a process which your employees can follow for all computerized systems. • Don’t start from scratch… plagiarize, plagiarize, and then plagiarize some more. • Don’t try to validate the spreadsheet program…you won’t be successful.
  19. 19. Risks
  20. 20. Risks • The primary risk associated with spreadsheets relates to business continuity • Will these spreadsheets provide accurate data? • Will these spreadsheets adequately protect data from being compromised? • The almost infinite configurability and limitless uses of spreadsheets make these products powerful business tools, but this flexibility also opens the door to bad things happening.
  21. 21. Risks • If a company fails to validate spreadsheets used for regulated activities, then that company is inviting audit report findings or regulatory actions • With numerous 483 and Warning Letter findings related to spreadsheets, it is clear that FDA investigators are looking at spreadsheet controls and have expectations that these systems be validated for their intended use.
  22. 22. Risks • The ease of spreadsheet distribution and installation presents regulatory control challenges. • Wide distribution, broad end user individual configuration, less administrative and IT support, result in greater potential for a system to drift out of control • Must consider how to effectively address system security (applications on laptops go home and travel with people…applications on central servers generally don’t go anywhere). • How will subsequent change control and configuration management be handled?
  23. 23. Risks • FDA investigators and industry auditors are aware that spreadsheet systems generally have two major design deficiencies related to regulatory compliance…security and audit trail functions. • IT staff or techie staff members try to mitigate these deficiencies by developing “workarounds”, but often these workarounds do not resolve the compliance deficiencies.
  24. 24. Risks • Software vendors recognized the spreadsheet audit trail and security issues and have produced software products, which operate in tandem with spreadsheets to mitigate these design gaps • Readily available, easy to install, relatively inexpensive, consistent solution • Our webinar host, Xybion, produces such a product named Compliance Builder
  25. 25. Summary • Spreadsheets are widely distributed and • • • • uniquely configured computerized systems Critical to business continuity Regulatory agencies require these systems to be validated for their intended use Commercial products are available to mitigate design gaps Rumors do not replace regulations
  26. 26. Questions & Discussions
  27. 27. Life Sciences Challenges IT Governance Global Regulatory Pressure .. FDA … Life-Sciences Companies Financial Controls SOX Operational Efficiency
  28. 28. Compliance Builder - Overview Xybion is an acknowledged leader in providing enterprise solutions for Regulatory, Quality and Compliance (GRC) to Life Sciences industry. ComplianceBuilder is one of the solutions from Xybion which helps address one of the core needs CFR Part 11 and related Compliance needs especially with the Life Science companies.
  29. 29. How does ComplianceBuilder help? Provides capabilities needed to meet requirements such as: 21 CFR Part 11, Sarbanes-Oxley Monitors key data sources, such as: Files on Workstations or Servers Tables in Databases Process and Manufacturing Equipments
  30. 30. ComplianceBuilder Functionality available with 3 sub-systems
  31. 31. Thank You!