Do you use Microsoft Word or Microsoft Excel for a regulated activity? If you are using electronic versions of the documents, FDA expects you to validate the use of these common applications for your intended purpose. First, take a deep breath and relax. FDA is not suddenly going off the deep end and telling us we need to validate MS Word and Excel as standalone programs. They are saying we must validate these applications for their intended use.
From a recent warning letter:
“No procedures are established to validate for its intended purpose the Microsoft Word or Microsoft Excel software used in creating and maintaining nonconformance records, product return records, internal audit corrective action records, or preventive action records.”
(FDA Warning Letter; G&B Electronic Designs Limited; Bordon, Hampshire, UK; April 2007)
Think this is too strict? Important questions to ask yourself: how does this firm ensure the documents are secure? How do they know the documents are authentic and integrity has been maintained? What is in place to ensure that the record they are accessing is the same record that was created? Did they test that? Do they have the system under change control so that if anyone changes the Word document or Excel spreadsheet they have a record of that change? Have they taken steps to ensure original data entries are not obscured (deleted)? Who made the change? When did they make the change? Why did they make the change? What about calculations in the spreadsheet? Have they been tested for accuracy and precision?
If answering these questions for your company would make you squirm a little, then you probably need to put some controls in place and do some testing. This may require special add-on tools or some customization, but it can be done. Document your requirements for security, audit trail, etc.; implement your system; develop some test scripts; execute your test scripts – does any of this sound familiar? It should. It is called validation for intended use.
Another option is to use one of the many commercial off-the-shelf systems designed to manage documents and data.
The bottom line is not to panic. We need to take a risk based approach, look at what we are using and how we are using it and ensure that we have validated it for our intended use in proportion to the risk level of the system.
While much is open to interpretation, you can typically develop a sound, defendable approach by asking the appropriate questions. Feel free to contact me if you need some tips.