Since their introduction to the public in 1979, spreadsheets have come a long way. Even while technology has changed, from Apple II computers to artificial intelligence, spreadsheets have had incredible staying power. Nevertheless, spreadsheets struggle to keep pace with GxP requirements.
In regulated companies, required to adhere to GxPs, spreadsheets can be useful, but they are also a regulatory liability. Many organizations still rely heavily on spreadsheets for critical processes—often underestimating the risks that this poses. While spreadsheets offer flexibility and familiarity, they introduce significant challenges that can compromise data integrity, traceability, and compliance.
Why Spreadsheets are Problematic in GxP Settings
Spreadsheets were never designed for regulated environments. They lack inherent controls to ensure the ALCOA+ compliance of data, such as audit trails, user access controls, e-signatures, and data version management—all key pillars of GxP compliance. When used for tasks such as batch record management, GMP library inventories, stability data tracking, laboratory calculations, or validation documentation, spreadsheets can quickly turn well-intentioned solutions into GxP risks.
Since spreadsheets are routinely created and used by personnel who are not programmers, they are prone to being included in a site’s QMS toolkit. They are often used to compensate for missing functionality in existing computer systems or in interfaces to move data from one system to another. Too many times, they are not included in data integrity risk assessments or even basic compliance determinations. This makes the unassessed spreadsheet an invisible trap that is often discovered during a regulatory inspection. Some real-life examples are included below; take note if any of these apply to your firm:
Actual FDA 483 Observations for Spreadsheets
1. Raw Material Tracking
In 2023, a manufacturer in California was cited in a three-part observation for use of an Excel spreadsheet to track raw material inventory, specifically, because there were “…no controls to prevent users from retroactively editing information…,” “no audit trails to capture changes in the spreadsheet,” and “no controls to prevent users from deleting information within the spreadsheet or deleting the spreadsheet itself.”
2. Analytical Calculations Not Password Protected
Also in 2023, a contract testing lab in Tennessee was cited because “Microsoft Excel software used to record and calculate laboratory data from [redacted] is not in a quality control state to ensure data accuracy.”
3. Manufacturing Batch Record Issue
A manufacturer in Michigan was cited because “[t]he master batch record is maintained in an Excel worksheet and its reproduction for use in production is not checked for accuracy, initialed, and dated.”
Disproportionate Actions?
Once discovered during a regulatory inspection, many firms rationalize why spreadsheets are not a problem or immediately perform validation, regardless of whether they have considered practical mitigation plans. We have found this to be a significant problem. Lachman has guided many firms to create optimized mitigation strategies to navigate this situation. Resources are scarce. Why waste yours?
Watch Points and Red Flags
Consider these red flags. Has your internal audit team looked at the spreadsheets in use within your organization? Do they have the requisite skills to identify these issues and know how to mitigate them?
- Lack of Audit Trails – No way to track who changed what and when.
- Uncontrolled Versions – Multiple copies floating across teams.
- Manual Data Entry – Higher error rates with no automated checks.
- No Access Controls – Anyone can edit or delete files.
- Hidden Formulas and Macros – Hard to detect errors and validate.
- Inconsistent Backups – Risk of data loss from local storage.
- Validation Challenges – Frequent changes make validation difficult.
The Bottom Line
Spreadsheets may seem convenient, but in a GxP environment, convenience can come at the cost of compliance. Organizations should consider using experts who have experience balancing this risk. Bad advice can cost a company time, money, and reputation.
Your firm is probably using spreadsheets that are putting your compliance at risk, but will you become aware before a regulator does? Contact Lachman Consultants at LCS@LachmanConsultants.com for help managing this risk.
