Issues with Electronic Record Management Using MS-Excel

Introduction

In the pharmaceutical and medical device industries, it is common to see MS-Excel being used to create and store records. Excel is widely adopted as a user-friendly and prevalent tool in many workplace environments. However, from the perspective of meeting regulatory authority requirements, there are significant issues with record management using Excel.

This article will provide a detailed explanation of these issues and describe appropriate responses when using Excel.

Major Issues with Record Management Using Excel

1. Lack of Audit Trail

Standard Excel does not have a built-in audit trail function that automatically records data change history. Since no record remains of who changed what and when, it is impossible to track the history of data modifications. An audit trail is an essential element to ensure “Attributable” – one of the fundamental requirements of data integrity under the ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, Available).

2. Security Issues

While it is possible to set passwords on Excel files, this password protection is known to be relatively easy to circumvent. Additionally, only file-level access control is available, making it impossible to implement detailed permission management for specific cells or sheets. Furthermore, no record is kept of who accessed the file and when.

3. Inability to Automatically Check Input Data

Although Excel has data validation features, these settings can be easily disabled or deleted. It is difficult to implement data verification based on complex business rules, and it is not easy to confirm that the validation rules are being maintained appropriately.

4. Printing Issues (Cut-off, Overflow)

When printing Excel files, page breaks and cell contents may not print properly. Even when confirmed in print preview, the actual printed results may differ, causing problems when archiving records.

5. Significant Digit Issues

Excel uses floating-point arithmetic, which can result in minute errors in calculation results. Additionally, the number of displayed digits may differ from the internal value, potentially causing data discrepancies. This requires particular attention in scientific calculations and situations requiring precise numerical management.

6. Version Compatibility Issues

The .xlsx format (Excel 2007 and later) is primarily used today, but compatibility issues exist with the older .xls format (Excel 97-2003). When files using newer version features are opened in older versions, features may be lost or the display may be corrupted. Additionally, Excel version updates can change calculation results or function behavior.

7. Macro Virus Infection Risk

Excel macros (VBA) carry security risks. Files containing macros (.xlsm or .xls) can potentially execute malicious code, so sufficient management systems are needed when using macros. The source and content of macros must be verified before enabling them.

8. Limited Use of Electronic Signatures

Standard Excel files do not have the robust electronic signature functionality required by 21 CFR Part 11 or ER/ES guidelines. While digital signatures can be applied, practical operation is difficult because the signature becomes invalid if any part of the file is modified. The signature verification process is also complex.

9. Manual Work Required for Every Creation or Modification

Record creation and modification in Excel fundamentally require manual input and editing. This increases the risk of human error. Additionally, work efficiency decreases when handling large volumes of data.

10. Inability to Auto-generate Table of Contents and Indexes

When managing multiple Excel files, the lack of functionality to automatically generate tables of contents and indexes makes file management and searching difficult. This problem becomes more pronounced in large-scale projects.

Relationship with Regulatory Requirements

FDA 21 CFR Part 11

The U.S. Food and Drug Administration’s (FDA) 21 CFR Part 11 establishes requirements for electronic records and electronic signatures. The following requirements are particularly important:

• System Validation: Demonstrating that the electronic record system functions as intended
• Audit Trail: Changes must be automatically and independently recorded
• Access Management: Only authorized individuals can access the system
• Electronic Signatures: Electronic signatures must have legal binding force

In October 2024, the FDA issued final guidance on the use of electronic systems, electronic records, and electronic signatures in clinical investigations, clarifying expectations for modern technologies such as digital health technologies, cloud-based platforms, and mobile applications. This guidance emphasizes risk-based validation approaches and ensuring data integrity.

Japanese Ministry of Health, Labour and Welfare ER/ES Guidelines

Japan’s guidelines for electronic records and electronic signatures were issued on April 1, 2005, as “Utilization of Electromagnetic Records and Electronic Signatures in Applications for Approval or Permission of Pharmaceutical Products” (ER/ES Guidelines). These guidelines are essentially equivalent in content to 21 CFR Part 11, organizing requirements for electromagnetic records from three perspectives: “authenticity,” “readability,” and “retention.”

Authenticity: Electromagnetic records are complete, accurate, and reliable, with clear responsibility for creation, modification, and deletion

Readability: Electromagnetic records can be displayed or printed in human-readable format

Retention: Electromagnetic records can be preserved for the necessary period and retrieved when needed

In March 2024, the Japan Association of Clinical Research Organizations published the “Revised ER/ES Guidelines Commentary,” presenting approaches based on the latest information technology, including the use of cloud services.

Data Integrity

In recent years, ensuring data integrity – the completeness of data throughout its lifecycle – has become a key focus of regulatory authority inspections. Data integrity means that data is complete, consistent, and accurate throughout its entire lifecycle.

The UK Medicines and Healthcare Products Regulatory Agency (MHRA) issued “GXP Data Integrity Guidance” in March 2018, explaining the ALCOA+ principles in detail. The FDA has also issued guidance on data integrity, strongly demanding assurance of data reliability.

From 2024 to 2025, data integrity violations continue to be a major cause of FDA warning letters, with frequent citations of missing audit trails and uncontrolled changes.

The Problem with Hybrid Operations

Operations that create records electronically, print them on paper, and then add handwritten signatures are called “hybrid operations.” These hybrid operations pose significant data integrity risks.

Why Hybrid Operations are Problematic

Hybrid operations enable the following fraudulent activities:

1. Create and print a record on August 22, 2016, and sign it with that date (normal operation)
2. Later, a need arises to conveniently modify the record for some reason
3. Modify (falsify) the original Excel file on August 22, 2016
4. Reprint the modified record
5. Sign it dated March 31, 2016 (backdating)
6. Discard the old printout and replace it with the new printout

In this case, the signature date on the paper medium is March 31, 2016, but the Excel file’s update date is August 22, 2016.

Detection During FDA Inspections

FDA inspectors are well aware of such data fraud techniques and receive specialized training in detection methods. During inspections, the following verifications are conducted:

• Comparison of handwritten signature dates with Excel file update dates (timestamps)
• Verification of consistency between paper medium content and Excel file content
• Confirmation of file creation, update, and access dates
• Comparison with backup data

In the example above, because the file date (August 22, 2016) is newer than the signature date (March 31, 2016), the following is suspected:

• Possible data falsification
• Possible backdated signature
• Questions regarding record authenticity

When such suspicions arise, proving that no falsification occurred is extremely difficult.

Essential Requirements When Using Excel

If Excel must be used for data entry, the following requirements must be met:

1. Ensuring Immediacy

After data entry, promptly (if possible within the same day) print and sign with that day’s date.

This minimizes discrepancies between electronic record creation date/time and signature date/time. Ideally, printing and signing should occur within a few hours of input completion.

As an alternative, converting to PDF and applying electronic signatures is possible, but the electronic signature system must meet 21 CFR Part 11 or ER/ES guideline requirements.

2. File Preservation

Do not delete the entered Excel file.

Even after printing on paper, the original Excel file must be retained. This is for future comparison and auditing purposes. The retention period should follow applicable regulatory requirements (e.g., for GMP records, a specified period after manufacturing).

3. Timestamp Protection

Do not change the timestamp (file date) of the entered Excel file.

Care must be taken not to change timestamps when copying or moving files. Some file operations and backup tools may alter timestamps. The following are recommended for timestamp protection:

• Verification of file system-level attributes
• Recording checksums or hash values
• Regular backups and their verification

4. Management in a Secure Environment

Manage entered Excel files in a secure environment.

Specifically, the following measures are necessary:

• Access permission settings: Only approved individuals can access files
• Network security: Firewalls and access controls to prevent unauthorized access
• Physical security: Entry restrictions to server rooms, etc.
• Backups: Regular backups and protection of backup data

The most recommended method is recording on write-once media such as CD-R or DVD-R (WORM: Write Once Read Many). This makes file falsification physically impossible. However, these media also have aging issues, requiring regular read verification and migration planning.

In modern times, timestamp services using blockchain technology and electronic notarization services are also options.

5. Verification and Comparison

Regularly confirm that paper medium and Excel file contents match.

During internal audits or self-inspections, verify the following:

• Do the Excel file date and paper medium signature date match?
• Do the Excel contents and paper medium contents match?
• Are files properly stored?
• Are security measures functioning appropriately?

Ensuring Data Integrity

Hybrid operations using Excel inherently contain data integrity risks. The following responses should be considered:

1. Implementation of Dedicated Electronic Record Systems

Consider implementing a dedicated Electronic Record Management System that complies with 21 CFR Part 11 or ER/ES guidelines. These systems have the following features:

• Automatic audit trail recording
• Access management and permission control
• Electronic signature functionality
• Data validation
• Backup and recovery functions
• Search and reporting functions

2. Review of Business Processes

Rather than simply implementing a system, review the entire business process and consider reducing dependence on paper media:

• Implementation of electronic workflows
• Digitization of approval processes
• Record lifecycle management
• Training and awareness improvement

3. Risk-Based Approach

If immediate migration of all records to a dedicated system is difficult, adopt a risk-based approach:

• Prioritize records that directly affect patient safety or product quality
• Determine priorities based on data importance and falsification risk
• Develop a phased migration plan

4. Continuous Improvement

Ensuring data integrity is not completed with a one-time response:

• Conduct regular internal audits
• Analyze deviation trends
• Continuously monitor technology trends and regulatory requirements
• Employee training and awareness improvement
• Appropriate implementation of CAPA (Corrective and Preventive Action)

Conclusion

MS-Excel is a convenient tool, but from the perspective of regulatory compliance in the pharmaceutical and medical device industries, it has many issues. In particular, it is difficult to meet the requirements of 21 CFR Part 11, ER/ES guidelines, and data integrity guidance.

If Excel must be used, the requirements outlined in this article must be strictly observed, the risks associated with hybrid operations must be fully understood, and appropriate management must be implemented. However, in the long term, considering migration to a dedicated electronic record management system is the most reliable method to ensure data integrity and meet regulatory requirements.

Regulatory authorities increasingly emphasize data integrity assurance, and improper record management can lead to serious consequences such as product approval delays, issuance of warning letters, and even product recalls or manufacturing suspensions. Instilling a culture of data integrity throughout the organization and establishing appropriate systems and procedures is essential for the company’s continued success.

References

• FDA 21 CFR Part 11 – Electronic Records; Electronic Signatures
• FDA Guidance: Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations (October 2024)
• Ministry of Health, Labour and Welfare “Utilization of Electromagnetic Records and Electronic Signatures in Applications for Approval or Permission of Pharmaceutical Products” (April 1, 2005)
• Japan Association of Clinical Research Organizations “Revised ER/ES Guidelines Commentary” (March 26, 2024)
• MHRA GXP Data Integrity Guidance and Definitions (March 2018)
• WHO Technical Report Series, No.996, Annex 5: Guidance on Good Data and Record Management Practices
• FDA Guidance for Industry: Data Integrity and Compliance with CGMP
• PIC/S Good Practices for Data Management and Integrity in Regulated GMP/GDP Environments (PI 041-1)