2. Xybion Corporation Fast Facts
Corporate
Our Products
Global
Locations
Founded in 1977
Privately Held, NMSDC Certified MBE
R&D Solutions
GRC/BPM Solutions
Enterprise Asset and Content Management Services
& Solutions
NJ and PA Locations in US
Quebec City, Canada
Germany
India
Our Global
Services
Innovative Development & Testing COE In India
Delivers Quality Testing & Development Services
Internal Product Development & Support
Value
Proposition
Lowering Total Cost of Ownership
Delivering Enterprise Products, Services, and
Solutions That Power Innovation & Efficiency
www.xybion.com
3. Xybion Offers Comprehensive Industry Solutions for major Enterprise Processes
under one roof, lower Total Cost Of Ownerships through validated software and
services implemented through a global hybrid resource model based in US.
Canada and India.
GRC
Total
Preclinical
Internal
Controls
ECM
Synchronization
EAM
Validation &
Testing
Risk
Mgt
Vivarium Management and
Veterinary Care
Quality
CAPA
Management
ECM Migration &
Consolidation
IT
Governance
Audit
Mgt
Automated
Migration
Incident
Mgt
LMS
PMO
Research & Safety Study
Management
Change
Control
Bulk
Consolidation
NC
Complai
nt Mgt
Doc
Mgt
Metadata Consolidation &
Transformations
Repository Synchronization & Replication
EAM Software
EAM Professional
Services
Validation & Verification
Services
EAM Custom
Development
Software Testing Services
www.xybion.com
4. About the speaker
Harry Huss has over 25 years of experience in the pharmaceutical industry. He is currently Executive Director,
Brandywine Compliance Consulting, LLC, and has held positions as Senior Director Compliance Policy & Program
Support Services, Charles River Laboratories, Inc., Associate Director of Computer Validation Quality Assurance,
Merck & Company, Inc., and Regulatory Compliance Manager, SmithKline Beecham, Inc.
Harry has a M.S. degree in Clinical Microbiology from Thomas Jefferson University, and B.S. degrees in Biology
and Medical Technology from Millersville University and Bryn Mawr respectively. He has provided a wide variety of
computer validation and Part 11 presentations at professional meetings, provided computer validation training for
the FDA, authored the Master Validation Plan for FDA’s National Center for Toxicological Research (NCTR), and
published numerous scientific and regulatory compliance articles. Harry is a member of the Drug Information
Association Validation Core Committee as well as an original and current member of the Society of Quality
Assurance Computer Validation Initiatives Committee (CVIC).
www.xybion.com
8. Rumor #1
• The FDA has indicated that commercially
available spreadsheets cannot be adequately
validated, and therefore should not be used to
support regulated activities.
• The FDA has not indicated that spreadsheets,
or any other category of computerized
systems, should be excluded from supporting
regulated activities.
www.xybion.com
9. Rumor #2
• The FDA has indicated that due to the
widespread use of commercial spreadsheets
these applications are deemed to be accurate
and reliable, and therefore do not require any
further validation by the end user.
• The FDA has not exempted spreadsheets, or
any other category of computerized system,
from compliance with applicable regulations,
when these systems are used to support
regulated activities.
www.xybion.com
10. Rumor #3
• The FDA has indicated that an end user of
spreadsheet systems can employ the “calculator
rule” to avoid validation, conducting verification
of spreadsheet arithmetic calculations using a
handheld calculator.
www.xybion.com
11. Rumor #3 (cont.)
• The FDA does not have a “calculator rule”,
exempting spreadsheet validation compliance
requirements.
• A handheld calculator could be used as part of
the spreadsheet validation process, to verify the
accuracy of spreadsheet calculations
• Required validation controls and testing are
broader than only arithmetic accuracy.
• system security, audit trail function, data input/output,
e-records and e-archival criteria, administrative
controls, configuration management controls, etc.
www.xybion.com
12. Rumor #4
• The FDA has indicated that a company can
avoid validation of spreadsheet systems by
documenting a risk assessment which states that
due to the widespread use of spreadsheet
systems, the risk to regulated data created by, or
entered into, these spreadsheets is low, and
therefore validation of current and future uses of
spreadsheet systems will not be required.
www.xybion.com
13. Rumor #4 (cont.)
• FDA has stated repeatedly that risk assessment
is not an alternative to compliance.
• FDA has indicated that computerized systems
must be validated for their intended use.
• Risk assessment can be employed to
determine:
• relative criticality of a system
• level of testing needed for individual requirements
• level of mitigation/remediation necessary for potential
test script failures
• BUT, applicable regulatory requirements remain as
requirements.
www.xybion.com
15. Reality
• FDA 483 and Warning Letter citations for
spreadsheets are more numerous than other
categories of computerized systems. There are
probably 3 reasons that findings related to
spreadsheets are more common:
• Large number of spreadsheets
• Lack of management support for spreadsheet
validation
• FDA investigators and QA auditors know that
spreadsheet systems are often not well controlled
(validated), and the spreadsheet applications often
have design deficiencies related to requirements for
security and audit trails.
www.xybion.com
16. “Basic” Reality
• FDA and other international regulatory agencies
have requirements for validation of computerized
systems used to support regulated activities.
• Validation of computerized systems is commonly
defined as, documented evidence which
provides a high degree of assurance that a
computerized system will operate accurately and
reliably to its predefined specifications
(requirements) and quality attributes.
• A spreadsheet application running on a desktop
or laptop computer is a computerized system.
• A spreadsheet used to support regulated
activities must be validated for its intended use.
www.xybion.com
17. “Harsh” Reality
• As with most obligate regulatory requirements,
there are no real shortcuts
• There are no hidden industry secrets that allow
avoidance of compliance
• There is no risk assessment approach which
trumps regulations
• During a regulatory inspection, either a
spreadsheet system will have documentation
which provides adequate assurance of system
accuracy, reliability, and compliance with
applicable regulatory “quality attributes” (audit
trail, security, etc.)….or adequate documentation
will not be available.
www.xybion.com
18. Reality Efficiencies
• Have a defined process for computerized system
validation (including spreadsheets). Nothing
saves as much money in the area of validation
as having a process which your employees can
follow for all computerized systems.
• Don’t start from scratch… plagiarize, plagiarize,
and then plagiarize some more.
• Don’t try to validate the spreadsheet
program…you won’t be successful.
www.xybion.com
20. Risks
• The primary risk associated with spreadsheets
relates to business continuity
• Will these spreadsheets provide accurate data?
• Will these spreadsheets adequately protect data
from being compromised?
• The almost infinite configurability and limitless
uses of spreadsheets make these products
powerful business tools, but this flexibility also
opens the door to bad things happening.
www.xybion.com
21. Risks
• If a company fails to validate spreadsheets used
for regulated activities, then that company is
inviting audit report findings or regulatory actions
• With numerous 483 and Warning Letter findings
related to spreadsheets, it is clear that FDA
investigators are looking at spreadsheet controls
and have expectations that these systems be
validated for their intended use.
www.xybion.com
22. Risks
• The ease of spreadsheet distribution and
installation presents regulatory control
challenges.
• Wide distribution, broad end user individual
configuration, less administrative and IT support,
result in greater potential for a system to drift out
of control
• Must consider how to effectively address system
security (applications on laptops go home and
travel with people…applications on central
servers generally don’t go anywhere).
• How will subsequent change control and
configuration management be handled?
www.xybion.com
23. Risks
• FDA investigators and industry auditors are
aware that spreadsheet systems generally have
two major design deficiencies related to
regulatory compliance…security and audit trail
functions.
• IT staff or techie staff members try to mitigate
these deficiencies by developing “workarounds”,
but often these workarounds do not resolve the
compliance deficiencies.
www.xybion.com
24. Risks
• Software vendors recognized the spreadsheet
audit trail and security issues and have produced
software products, which operate in tandem with
spreadsheets to mitigate these design gaps
• Readily available, easy to install, relatively
inexpensive, consistent solution
• Our webinar host, Xybion, produces such a
product named Compliance Builder
www.xybion.com
25. Summary
• Spreadsheets are widely distributed and
•
•
•
•
uniquely configured computerized systems
Critical to business continuity
Regulatory agencies require these systems to be
validated for their intended use
Commercial products are available to mitigate
design gaps
Rumors do not replace regulations
www.xybion.com
27. Life Sciences Challenges
IT Governance
Global Regulatory
Pressure ..
FDA …
Life-Sciences
Companies
Financial
Controls
SOX
Operational
Efficiency
www.xybion.com
28. Compliance Builder - Overview
Xybion is an acknowledged leader in providing
enterprise solutions for Regulatory, Quality and
Compliance (GRC) to Life Sciences industry.
ComplianceBuilder is one of the solutions from
Xybion which helps address one of the core needs
CFR Part 11 and related Compliance needs
especially with the Life Science companies.
www.xybion.com
29. How does ComplianceBuilder help?
Provides capabilities needed to meet
requirements such as:
21 CFR Part 11,
Sarbanes-Oxley
Monitors key data sources, such as:
Files on Workstations or Servers
Tables in Databases
Process and Manufacturing
Equipments
www.xybion.com