Given the ease of their operations; spreadsheets find wide acceptance in a number of activities for laboratories. These include analysis, data capturing and reporting. Since these activities are part of a regulatory framework; companies using these spreadsheets need to comply with guidelines. These guidelines are set out in FDA 21 CFR Part 11, which deals with regulation of electronic records and electronic signatures. In this guideline, there are specific points about the use of spreadsheets.
More about Part 11
Part 11 applies to the following:
For spreadsheets that contain records required by the underlying predicate rules such as 21 CFR Parts 210 and 211 (cGMP), Part 820 (QSR) or Part 58 (GLP)
For spreadsheets that have records that are created, modified, maintained, archived, retrieved or transmitted in electronic form, or those that are submitted to FDA in electronic form.
What are FDA 21 CFR Part 11 compliance requirements?
21 CFR Part 11 makes it clear that an electronic spreadsheet has to meet the following requirements if it has to be compliant:
Security: The aim of setting out security requirements is predictable –to prevent unauthorized access to records. It seeks to make the records safe from unauthorized entry and access for the entire duration of the record’s shelf life. It sets out clear rules for user management functions.
Audit trails: Section 21 CFR 11.10(e) sets out the rules under which systems subject to Part 11 must employ audit trails. The aim of this rule is to ensure that audit trails should automatically record the date and time of all entries. These could be actions pertaining to any of these: creation, modification or deletion of electronic records. An important requirement is that record changes should “not obscure previously recorded information”. To ensure this, an audit trail for spreadsheets should include a timestamp, worksheet name, cell address, action performed, old value, new value, user ID, user name and reason for change, if applicable. It is important to note that the audit trail should not be modifiable even by the system administrator.
Electronic signatures: To ensure authentication of electronic signatures, 21 CFR Part 11 covers compliance regulations for three aspects: the printed name of the signer, the time and date on which the signature was done, and finally, the purpose of the signature. Under the last of these, the signer is expected to mention whether the sign was of review, authorship, approval, or for assigning a responsibility to someone else.