As per ISO 13485, is Spreadsheet Validation required?

Welcome to the first in a series of blogs where we will start to break down ISO 13485:2016 (ISO 13485). As someone who has both implemented and audited a Quality Management System (QMS) to the requirements of ISO 13485, the nuance and interpretation of the standards of the various users, from auditors to auditees and everyone in between, never ceases to amaze me.

This past week, I posted a poll on LinkedIn asking:

“As per ISO 13485, is it true or false that a medical device organization that uses spreadsheets is only required to validate spreadsheets that contain calculations?”

Spreadsheet Validation under ISO 13485

The results were interesting where 17% believed the statement to be true, versus 83% believing the same statement to be false.  A resounding voice from the “false camp”!

So, what is the correct answer?

Drum roll please…. the requirement to validate spreadsheets extends beyond only spreadsheets that contain calculations.

Spreadsheets that contain any quality related data, even those without calculations, will be subjected to some level of validation.

The level of validation will depend on the type of quality data captured, and what the spreadsheet is intended to do with that quality data.

But before I explain, let’s explore the various standards, regulations and guidance documents that outline or define the requirements around software validation, and more specifically spreadsheet validation.

ISO 13485

The clauses captured throughout Clause 4 of ISO 13485 are related to the planning phase of the QMS.  Clause 4.1.6 makes it a mandatory requirement that organizations have a procedure in place for software validation used in the quality management system.

It is important to recognize that this clause is not only referring to software that are used directly in your QMS, but also any software that is used to support the management system, for example, spreadsheets.

It is also important to know, that when the statement is made to validate spreadsheets, that does not mean to validate the excel software itself, but rather, the spreadsheet.

In addition, clause 7.5.6 – Validation of processes for production and service provisions also requires organizations to document procedures for the validation of the application of software used in production and service provision.

Importantly, both clause 4.1 6 and clause 7.5.6 specifies that the approach to the validation activities shall be proportionate to the risk associated with the use of the software.  It is this risk that determines the level of validation that will be applied to the spreadsheets in use.

FDA Regulations

Our US based friends are not that different to their ISO 13485 counterparts.

21 CFR 820.70(i) states that “When computers or automated data processing systems are used as part of production or the quality system, the manufacturer shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented”.

The FDA’s guidance document – “General Principles of Software Validation” advises that “Many other commercial software applications, such as word processors, spreadsheets, databases, and flowcharting software are used to implement the quality system. All of these applications are subject to the requirement for software validation, but the validation approach used for each application can vary widely”.

Why Part 11 Compliance Matters for Spreadsheet Validation

And what about “Part 11” compliance?  Well, one should also consider what records need to comply with the FDA Electronic Records and Signature Regulation or 21 CFR Part 11.

Part 11 applies to:

1. Records in electronic form that are created, modified, maintained, archived, retrieved, or transmitted, under any records requirements set forth in agency [FDA] regulations.
2. Electronic records submitted to the agency under requirements of the Federal Food, Drug, and Cosmetic Act and the Public Health Service Act, even if such records are not specifically identified in agency regulations.

But what does 21 CFR Part 11 say about software validation?

Key Requirements of 21 CFR Part 11 for Software Validation

Well, indulge me for but a moment while I break it down.

Firstly, 21 CFR 11.10 states that “Persons who use closed systems to create, modify, maintain, or transmit electronic records shall employ procedures and controls designed to ensure the authenticity, integrity, and, when appropriate, the confidentiality of electronic records, and to ensure that the signer cannot readily repudiate the signed record as not genuine. Such procedures and controls shall include the following:

(a) Validation of systems to ensure accuracy, reliability, consistent intended performance, and the ability to discern invalid or altered records”.

But what is a closed system I hear you ask.  21 CFR Part 11 defines a closed system as “an environment in which system access is controlled by persons who are responsible for the content of electronic records that are on the system”.

Phew, don’t worry this will all become clearer now that we have squared away where the standards and regulations define the requirements of software validation.

It is not lost on me that I have strayed beyond ISO 13485 specifically, but it is also stated at Clause 4.1.1 that organizations not only need to maintain effectiveness of their QMS as per the standard, but also those pesky regulatory requirements.

So why not throw you some additional information eh?

We are sound like that at Comply Guru! To be fair, most Quality Manuals I see include 21 CFR 820 in the scope of their QMS certified to ISO 13485.

So, lets acknowledge one thing at this point.  Nowhere in any of the standards or regulations mentioned does it state that validation is restricted only to software’s that perform calculations or indeed spreadsheets that perform calculation.  Now, shall we get down with the good stuff?  I think so!

Which spreadsheets need validation?  Well, ask yourself these questions; Could the spreadsheet impact on patient health, public safety and/or product quality?  Now ask yourself, could the spreadsheet impact on the integrity of the data and records associated with any of those three?

And the final, and potentially, most important question – will the spreadsheet be used as an electronic record or a record as it is controlled as per the requirements of Clause 4.2.5 of ISO 13485.  Don’t forget, Clause 4.2.5 has its own requirements related to control of records.

Organizations are mandated by ISO 13485 to establish and implement a procedure detailing the controls needed “for the identification, storage, security and integrity, retrieval, retention time and disposition of records” That word INTEGRITY is the key in this requirement.  Additionally, changes to records need to be identifiable.

Now, the building blocks around spreadsheet validation are starting to form, and any reader of this should now be registering the importance of all spreadsheets and not just those that perform calculations.  How many organizations use spreadsheets to track confidential health information?  Spreadsheets are easy to navigate and filter out specific information when set up correctly.

Guess what, Clause 4.2.5 also mandates that organizations “shall define and implement methods for protecting confidential health information contained in records in accordance with the applicable regulatory requirements”. Hmmm, sounds like a job for spreadsheet validation! A validated spreadsheet will ensure all these requirements are met, if the validation is correctly performed.

Essential Spreadsheets That Demand Validation and Compliance

What are examples of spreadsheets that require spreadsheet validation and in some cases part 11 compliance, well, here we go:

1. Spreadsheets that compute the potency of the raw material
2. Product Complaint tracking spreadsheet
3. Spreadsheets that track which donors are (and are not) eligible to donate plasma
4. An accounting spreadsheet that also tracks the quality status of each lot
5. Spreadsheets that calculate how long to dry a batch of active ingredient
6. Spreadsheet of training on QA SOPs
7. Spreadsheet of lab test results
8. Spreadsheets of manufacturing schedules
9. Spreadsheets used to calculate lab results

What next?  We know the types of spreadsheets that require validation, but how is validation of all these different types of spreadsheets, with varying levels of risk and criticality performed?

I could tell you, but………. you know the rest!

Come back next week for Part 2, where I will delve into criticality classification and the steps involved in performing spreadsheet validation and the documentation requirements associated with the validation activities.

Keep an eye on the Comply Guru LinkedIn page, where we will drop the link to part 2 when it is available.

In the meantime, have a great week and Happy QARAing!