Some are white and nice others are dark and may cause thunder and lightening, point choose your direction and go into everything with eyes wide open.
Xybion Webinar - Rumors, Risks and Realities of spreadsheet validation
Xybion Corporation Fast Facts
Founded in 1977
Privately Held, NMSDC Certified MBE
Enterprise Asset and Content Management Services
NJ and PA Locations in US
Quebec City, Canada
Innovative Development & Testing COE In India
Delivers Quality Testing & Development Services
Internal Product Development & Support
Lowering Total Cost of Ownership
Delivering Enterprise Products, Services, and
Solutions That Power Innovation & Efficiency
Xybion Offers Comprehensive Industry Solutions for major Enterprise Processes
under one roof, lower Total Cost Of Ownerships through validated software and
services implemented through a global hybrid resource model based in US.
Canada and India.
Vivarium Management and
ECM Migration &
Research & Safety Study
Metadata Consolidation &
Repository Synchronization & Replication
Validation & Verification
Software Testing Services
About the speaker
Harry Huss has over 25 years of experience in the pharmaceutical industry. He is currently Executive Director,
Brandywine Compliance Consulting, LLC, and has held positions as Senior Director Compliance Policy & Program
Support Services, Charles River Laboratories, Inc., Associate Director of Computer Validation Quality Assurance,
Merck & Company, Inc., and Regulatory Compliance Manager, SmithKline Beecham, Inc.
Harry has a M.S. degree in Clinical Microbiology from Thomas Jefferson University, and B.S. degrees in Biology
and Medical Technology from Millersville University and Bryn Mawr respectively. He has provided a wide variety of
computer validation and Part 11 presentations at professional meetings, provided computer validation training for
the FDA, authored the Master Validation Plan for FDA’s National Center for Toxicological Research (NCTR), and
published numerous scientific and regulatory compliance articles. Harry is a member of the Drug Information
Association Validation Core Committee as well as an original and current member of the Society of Quality
Assurance Computer Validation Initiatives Committee (CVIC).
• The FDA has indicated that commercially
available spreadsheets cannot be adequately
validated, and therefore should not be used to
support regulated activities.
• The FDA has not indicated that spreadsheets,
or any other category of computerized
systems, should be excluded from supporting
• The FDA has indicated that due to the
widespread use of commercial spreadsheets
these applications are deemed to be accurate
and reliable, and therefore do not require any
further validation by the end user.
• The FDA has not exempted spreadsheets, or
any other category of computerized system,
from compliance with applicable regulations,
when these systems are used to support
• The FDA has indicated that an end user of
spreadsheet systems can employ the “calculator
rule” to avoid validation, conducting verification
of spreadsheet arithmetic calculations using a
Rumor #3 (cont.)
• The FDA does not have a “calculator rule”,
exempting spreadsheet validation compliance
• A handheld calculator could be used as part of
the spreadsheet validation process, to verify the
accuracy of spreadsheet calculations
• Required validation controls and testing are
broader than only arithmetic accuracy.
• system security, audit trail function, data input/output,
e-records and e-archival criteria, administrative
controls, configuration management controls, etc.
• The FDA has indicated that a company can
avoid validation of spreadsheet systems by
documenting a risk assessment which states that
due to the widespread use of spreadsheet
systems, the risk to regulated data created by, or
entered into, these spreadsheets is low, and
therefore validation of current and future uses of
spreadsheet systems will not be required.
Rumor #4 (cont.)
• FDA has stated repeatedly that risk assessment
is not an alternative to compliance.
• FDA has indicated that computerized systems
must be validated for their intended use.
• Risk assessment can be employed to
• relative criticality of a system
• level of testing needed for individual requirements
• level of mitigation/remediation necessary for potential
test script failures
• BUT, applicable regulatory requirements remain as
• FDA 483 and Warning Letter citations for
spreadsheets are more numerous than other
categories of computerized systems. There are
probably 3 reasons that findings related to
spreadsheets are more common:
• Large number of spreadsheets
• Lack of management support for spreadsheet
• FDA investigators and QA auditors know that
spreadsheet systems are often not well controlled
(validated), and the spreadsheet applications often
have design deficiencies related to requirements for
security and audit trails.
• FDA and other international regulatory agencies
have requirements for validation of computerized
systems used to support regulated activities.
• Validation of computerized systems is commonly
defined as, documented evidence which
provides a high degree of assurance that a
computerized system will operate accurately and
reliably to its predefined specifications
(requirements) and quality attributes.
• A spreadsheet application running on a desktop
or laptop computer is a computerized system.
• A spreadsheet used to support regulated
activities must be validated for its intended use.
• As with most obligate regulatory requirements,
there are no real shortcuts
• There are no hidden industry secrets that allow
avoidance of compliance
• There is no risk assessment approach which
• During a regulatory inspection, either a
spreadsheet system will have documentation
which provides adequate assurance of system
accuracy, reliability, and compliance with
applicable regulatory “quality attributes” (audit
trail, security, etc.)….or adequate documentation
will not be available.
• Have a defined process for computerized system
validation (including spreadsheets). Nothing
saves as much money in the area of validation
as having a process which your employees can
follow for all computerized systems.
• Don’t start from scratch… plagiarize, plagiarize,
and then plagiarize some more.
• Don’t try to validate the spreadsheet
program…you won’t be successful.
• The primary risk associated with spreadsheets
relates to business continuity
• Will these spreadsheets provide accurate data?
• Will these spreadsheets adequately protect data
from being compromised?
• The almost infinite configurability and limitless
uses of spreadsheets make these products
powerful business tools, but this flexibility also
opens the door to bad things happening.
• If a company fails to validate spreadsheets used
for regulated activities, then that company is
inviting audit report findings or regulatory actions
• With numerous 483 and Warning Letter findings
related to spreadsheets, it is clear that FDA
investigators are looking at spreadsheet controls
and have expectations that these systems be
validated for their intended use.
• The ease of spreadsheet distribution and
installation presents regulatory control
• Wide distribution, broad end user individual
configuration, less administrative and IT support,
result in greater potential for a system to drift out
• Must consider how to effectively address system
security (applications on laptops go home and
travel with people…applications on central
servers generally don’t go anywhere).
• How will subsequent change control and
configuration management be handled?
• FDA investigators and industry auditors are
aware that spreadsheet systems generally have
two major design deficiencies related to
regulatory compliance…security and audit trail
• IT staff or techie staff members try to mitigate
these deficiencies by developing “workarounds”,
but often these workarounds do not resolve the
• Software vendors recognized the spreadsheet
audit trail and security issues and have produced
software products, which operate in tandem with
spreadsheets to mitigate these design gaps
• Readily available, easy to install, relatively
inexpensive, consistent solution
• Our webinar host, Xybion, produces such a
product named Compliance Builder
• Spreadsheets are widely distributed and
uniquely configured computerized systems
Critical to business continuity
Regulatory agencies require these systems to be
validated for their intended use
Commercial products are available to mitigate
Rumors do not replace regulations
Life Sciences Challenges
Compliance Builder - Overview
Xybion is an acknowledged leader in providing
enterprise solutions for Regulatory, Quality and
Compliance (GRC) to Life Sciences industry.
ComplianceBuilder is one of the solutions from
Xybion which helps address one of the core needs
CFR Part 11 and related Compliance needs
especially with the Life Science companies.
How does ComplianceBuilder help?
Provides capabilities needed to meet
requirements such as:
21 CFR Part 11,
Monitors key data sources, such as:
Files on Workstations or Servers
Tables in Databases
Process and Manufacturing
Functionality available with 3 sub-systems