The "Shadow System" Risk: A Regulatory Analysis of Spreadsheets in GxP

Executive Summary

Spreadsheets are the "Dark Matter" of the regulated life-science enterprise. They are everywhere, holding the universe together, yet often invisible to IT governance. While flexible and fast, repeated FDA enforcement actions demonstrate that uncontrolled spreadsheets present a systemic compliance risk, particularly when they function as de-facto computerized systems.

This article analyzes spreadsheet risk through the lens of recent FDA warning letters, including an August 2025 citation, focusing on the gap between "User Intent" (a calculator) and "Regulatory Reality" (a computerized system).

The Core Conflict: Tool vs. System

The FDA does not regulate based on software brand; they regulate based on intended use.

Many Quality Directors view Excel as a "digital piece of paper."
The FDA views Excel as GAMP Category 5 Custom Software.

When a spreadsheet is used to generate GxP data, perform release calculations, or store quality decisions, it is a Computerized System. As such, it must meet the same standards as LIMS or ERP systems:

• 21 CFR Part 11: Electronic Records & Signatures.
• 21 CFR 211.68(b): Input/Output verification.
• ALCOA+: Data Integrity principles.

If spreadsheets cannot defend themselves against users deleting rows, they are not compliant systems.

Case Study: The "Unvalidated Scale-Up" (August 2025)

The risk is not hypothetical. In August 2025, the FDA issued a Warning Letter to a joint device/drug manufacturer specifically citing the use of unvalidated Excel spreadsheets for formulation calculations.

The Finding:
The firm relied on a spreadsheet to calculate the final concentration of an active ingredient. While the math worked for standard batch sizes, the FDA flagged that the firm had failed to validate the spreadsheet logic for scaling (different batch sizes).

The regulators noted that without validating the "formulation software" (the spreadsheet) for variable inputs, there was no assurance against super-potent or sub-potent finished products, posing a direct safety risk.

The Lesson:
It was not enough that the formulas were "correct" in theory. The firm failed to prove:

1. Structural Integrity: That the logic holds up under different variables (scaling events).
2. Confirmatory Testing: That the spreadsheet's output was verified against physical reality (Lab Assays) before release.

This warning letter destroys the myth that Excel is safe if organizations just "lock the cells." The FDA is scrutinizing the validation of the logic and the process, not just the file security.

The 4 Pillars of Spreadsheet Failure

1. The Audit Trail Illusion

The Regulation: 21 CFR 11.10(e) requires secure, computer-generated, time-stamped audit trails that independently record the date and time of operator entries and actions.

The Excel Reality:

• Track Changes is not an Audit Trail. It is easily disabled, cleared, or ignored.
• "Save As" is not Version Control. Saving v2_final_FINAL.xlsx breaks the chain of custody.
• The Gap: In a compliant system, history is immutable. In Excel, history is editable. If a user can overwrite a failed test result with a passing one and hit "Save," the data integrity is compromised.

2. The "Hybrid System" Fallacy

Many firms attempt to mitigate risk by printing the spreadsheet to PDF and signing the paper. They argue the paper is the "True Record."

The FDA Position:
The FDA guidance on Data Integrity (2018) distinguishes between Static (paper/PDF) and Dynamic (electronic) records.

• If the spreadsheet contains formulas, metadata, or trends that are lost when printed, the electronic file is the record.
• Printing a dynamic record to a static PDF does not absolve organizations of validating the underlying electronic system. Organizations are simply printing a snapshot of an unvalidated tool.

3. User Attribution

The Regulation: 21 CFR 11.10(d) requires limiting system access to authorized individuals.

The Excel Reality:
Spreadsheets stored on shared network drives (SharePoint/OneDrive) often inherit folder-level permissions.

• If "Lab Group" has write access, organizations cannot prove which specific technician entered the data.
• Without an enforced, individual login to the file itself, attribution is legally defensible only by "Honor System," which is not a regulatory control.

4. Logic Degradation

Software code is compiled and frozen. Spreadsheets are "fluid", subject to entropy where formulas degrade over time.

• A user accidentally types over a formula with a hard-coded number.
• A sort operation scrambles row alignment.
• A link to an external workbook breaks.

Without Automated Regression Testing (checking the math every time the file is opened), organizations cannot guarantee that spreadsheets work today as they did when validated three years ago.

The "Red Flag" Self-Assessment

If organizations answer "No" to any of these questions regarding critical spreadsheets, they are likely carrying remediable risk:

Conclusion: From Document to Application

The era of "validating the spreadsheet" is closing. The overhead required to wrap Excel in enough SOPs, manual checks, and macros to satisfy an auditor is often higher than the cost of replacing it.

Modern compliance requires a shift in mindset: Don't validate the document. Validate the data flow.

For regulated organizations, the safest path forward is often Remediation: converting high-risk logic into locked, database-backed applications where compliance is enforced by code, not by culture.

References

• FDA Warning Letter: August 2025 (Reference: Failure to validate software used in production per 21 CFR 820.70(i)).
• FDA Guidance for Industry: Data Integrity and Compliance with Drug CGMP (April 2018).
• 21 CFR Part 11: Electronic Records; Electronic Signatures.
• 21 CFR 211.68: Automatic, mechanical, and electronic equipment.