Thanks to everyone who provided insights, I now understand that no single guidance specifically dictates to what extent an excel workbook used to calculate Key Risk Indicators metrics and produce centralized monitoring reports must be validated, but that several guidances collectively provide a good idea of what is expected from regulatory agencies. As the following excerpt from the General Software Validation guidance indicates: …it is not possible to state in one document all of the specific validation elements that are applicable. However, a general application of several broad concepts can be used successfully as guidance for software validation. These broad concepts provide an acceptable framework for building a comprehensive approach to software validation.
Namely, ISO 13485 and the General Principles of Software Validation guidance refer to medical devices but you can consider the following statement: All production and/or quality system software, even if purchased off-the-shelf, should have documented requirements that fully define its intended use, and information against which testing results and other evidence can be compared, to show that the software is validated for its intended use.
Similarly, 21 C.F.R. §820.70(i), AAMI TIR36 and GAMP are intended for manufacturing, but you can consider the following statement: [the manufacturer] shall validate computer software for its intended use according to an established protocol. All software changes shall be validated before approval and issuance. These validation activities and results shall be documented.
(Regarding GAMP Category, I actually believe my workbook would correspond to a Category 5 as it is meant to be customized to meet the specific needs of individual studies and it includes VBA macros to speed-up the production of centralized monitoring reports. However, since it is not involved in manufacturing, I believe the validation approach recommended for GAMP Category 5 software (i.e. IQ, OQ, PQ, etc.) would not apply to my workbook. Nevertheless, I think performing a risk assessment and referring to it in the Validation Plan would be a good idea to justify the extent of validation.)
I actually think my workbook resembles laboratory equipment more than medical devices or manufacturing systems and the PDA Technical Report 80 section 6.5.3 provides the following statement: Many laboratories use customized spreadsheets for calculations. To avoid possible data breaches, the Quality Unit should validate the customized spreadsheet template for its intended use and protect it by restricting permissions to alter the template or delete data. Typically, customized spreadsheets are validated by customizing them to the intended use with a standardized formula in the USP or another valid source, comparing the manual calculations against the spreadsheet calculations, and testing boundaries and functions.
Concerning 21 CFR Part 11 and the necessity of preserving the reliability and completeness of data, I argue that my centralized monitoring workbook does not produce records that are submitted to a statistical analysis to draw the conclusion of a study. It only computes KRI metrics using real-time raw data which might be incomplete and incorrect as they are exported from EDC and CTMS. I don't think having an audit trail and eSignature features would serve to ensure any product quality or safety, or record integrity. As such, I would not consider 21 CFR Part 11 as relevant to the implementation of a centralized monitoring system. (I am still not sure if KRIs are "trial-monitoring records" though).
After all this thinking, I plan not to overthink it. I will simply prove that the workbook does what it is intended to do. I will use my experience to think of everything that could go wrong with the workbook and have an impact on subject safety, data quality or trial integrity. I will prepare a Validation Plan accordingly as well as a Test Case document to spells out the validation steps to be performed to satisfy requirements (e.g. "enter data in INPUT!A:A and confirm that the correct results are displayed in OUTPUT!B:B"). Before executing the Test Case I will place a read-only copy of the workbook in a secure location to ensure that it does not get changed while being validated. I will then execute the tests, sign each step, complete a Validation Summary Report and get everything reviewed and approved by QA. I will then refer to the copy I have place in a secure location as the "validated" workbook.
------------------------------
Adam Beauregard RAC
Data Manager
Quebec QC
Canada
------------------------------
Original Message:
Sent: 21-Oct-2019 19:11
From: Kevin Randall
Subject: Spreadsheet Validation
The preceding post edited to remove the accidental reference to ISO 9001.
------------------------------
Kevin Randall, ASQ CQA, RAC (U.S., Canada, Europe)
Principal Consultant
ComplianceAcuity, Inc.
Golden CO
United States
www.complianceacuity.com
© Copyright 2019 by ComplianceAcuity, Inc. All rights reserved.
Original Message:
Sent: 21-Oct-2019 19:02
From: Kevin Randall
Subject: Spreadsheet Validation
Regarding an Excel workbook used to calculate Key Risk Indicator metrics for the centralized monitoring of clinical investigation of products destined for the U.S., FDA may interpret that such metrics are part of the trial-monitoring records called for by FDA trial-monitoring regulations. If FDA maintained such a stance, and if the associated records and signatures were electronic records/signatures, then 21 CFR Part 11 would apply.
In such an event, it's very important to remember that validation of the associated computerized systems (i.e., "software validation") is in fact a crucial element specifically demanded by Part 11 [but not to be confused with other similar (yet sometimes overlapping) software validation requirements like 21 CFR 820.70(i)]. Indeed, it would not be possible to comply with 21 CFR Part 11 unless its definitive software validation requirements are given due consideration.
This remains true regardless of any FDA enforcement discretion that may be applied. For example, FDA Part 11 enforcement discretion guidance states that FDA nonetheless still expects that your decision to validate computerized systems (i.e., software) generating electronic records, and the extent of the validation, will take into account the impact the systems have on your ability to meet predicate rule (such as clinical trial monitoring record) requirements. FDA told me that it will still take enforcement action if Part 11 record safety concerns are identified.
Remember also that for such Part 11 software validation, FDA specifically refers us to its guidance document on general principles of software validation and to GAMP. Therefore, Anne LeBlanc's corresponding reference to FDA's guidance document is wise indeed. Moreover, AAMI TIR36 [containing organic and distinct 21 CFR 820.70(i) and Part 11 validation guidance] wisely mentioned by Nicholas Wong was forged with key participation from FDA itself. Accordingly, the dismissal of such longstanding guidance may not be in everyone's best interest.
Also, if the aforesaid workbooks are part of a trial Sponsor's or User's ISO 13485 quality management system, then the general validation for intended use of such workbooks would be demanded by that standard. In that case, I've found ISO/TR 80002-2 (the international adaptation of AAMI TIR 36) to be quite useful for answering the specific questions Adam Beauregard raised.
On that note, it seems one final aspect of Adam's question may not yet have been answered (i.e., "…looking for something written for arguing that my workbook needs to be validated because it serves a certain purpose but that not all the workbooks we use internally need to be validated…"). For that, I leverage the GAMP 5 definition for Category 3 Off the Shelf, non-configured software which is generally exempted from validation by GAMP 5. I also recommend leveraging and adapting the basic principle embodied by FDA's statement that "…validation would not be important for a word processor used only to generate SOPs…"
Hope this helps.
------------------------------
Kevin Randall, ASQ CQA, RAC (U.S., Canada, Europe)
Principal Consultant
ComplianceAcuity, Inc.
Golden CO
United States
www.complianceacuity.com
© Copyright 2019 by ComplianceAcuity, Inc. All rights reserved.
Original Message:
Sent: 18-Oct-2019 15:51
From: Adam Beauregard
Subject: Spreadsheet Validation
I have and excel workbook which I use to calculate Key Risk Indicator metrics for the centralized monitoring of clinical trials. I believe I should validate it for its intended use (calculating metrics for trial management purpose) but I can't find a guidance that applies to the validation of a workbook that is not used to create, modify, maintain, archive, retrieve, or transmit clinical data in the clinical trial setting (not in the manufacturing setting).
Where should I look? Thanks.
------------------------------
Adam Beauregard RAC
Data Manager
Quebec QC
Canada
------------------------------