Spreadsheet - Used for complaint investigation - Validation required or not

[Balachander]

Hi,

We have a spreadsheet where our customers fill the information (complaints) out and submit to us. This spreadsheet Information is used in complaint investigation. Does this spreadsheet require validation as it documents complaint investigations?

Thanks,
Bala

 

[Ronen E]

Hi,

We have a spreadsheet where our customers fill the information (complaints) out and submit to us. This spreadsheet Information is used in complaint investigation. Does this spreadsheet require validation as it documents complaint investigations?

Thanks,
Bala

Face value, I think it doesn't.
Does the spreadsheet have any functionality other than plain documentation, e.g. are there any formulae in it / does it perform any calculations / does it include macros?
If not, or only very basic functions built-in into the SW package by default (e.g. calculating number of days between dates), I tend to think it's already validated sufficiently by the developer.

 

[Balachander]

Face value, I think it doesn't.
Does the spreadsheet have any functionality other than plain documentation, e.g. are there any formulae in it / does it perform any calculations / does it include macros?
If not, or only very basic functions built-in into the SW package by default (e.g. calculating number of days between dates), I tend to think it's already validated sufficiently by the developer.

Yes no formula just plain documentation like device info, description of complaint, patient info, treatment parameters in a MS Excel spreadsheet. I assumed the same but wanted confirmation.

 

[Tidge]

It may not require functional validation, but this sounds an awful lot like a record for which it may be worthwhile to establish an audit trail.

 

[yodon]

it may be worthwhile to establish an audit trail.

This is extremely important. How will you know if recorded information changed or something was deleted? I've heard there's a way to maintain a proper (?) audit trail in Excel but haven't had the chance to see how it works.

Depending on the "patient info" you collect, you may also be subject to the GDPR which means an elevated level of protection on the spreadsheet.

 

[Bev D]

And Yodon identified the gotcha.
You need to safeguard this info from alteration and hacking and un-authorized access and use. That part will need to be validated.

 

[Ronen E]

You need to safeguard this info from alteration and hacking and un-authorized access and use.

This is a very broad requirement. In this day and age protecting something 100% from hacking (let alone validating such status) is almost impossible, unless the protection is based on printing out a hard copy and keeping it in a safe + positively destroying (erasing) the source. Creating a "picture" file (by whatever means) is less burdensome but is definitely not "safeguarding the info from alteration and hacking and un-authorized access". Relying on Excel for the above is... a little naive.

In my response to the OP I related to functional validation. Cybersecurity, data protection and the rest are - in my opinion - to be addressed on a more holistic level and not on an application-by-application basis (including validation where and as necessary). My initial assumption was that the spreadsheet is used in this case for more than mere "data capture" / as a "dumb" form - why use a spreadsheet otherwise? One could just use, for example, a Word template or a fillable PDF form. Hence my focus on formulae etc. in that spreadsheet. If all it's used for is recording info by the user, I think that selecting Excel for the task unnecessarily complicates the situation, including the aspects of data protection mentioned above. If this is examined from a more holistic cybersecurity etc. perspective, I'm sure there are ways to make the info much more protectable, upfront.

 

[Jim Wynne]

In this day and age protecting something 100% from hacking (let alone validating such status) is almost impossible,

There's a difference between "safeguarding" and 100% protection.

 

[Bev D]

This is a very broad requirement. …
In my response to the OP I related to functional validation. Cybersecurity, data protection and the rest are - in my opinion - to be addressed on a more holistic level and not on an application-by-application basis (including validation where and as necessary).

And both statements are true. The OP doesn’t have a product software validation situation. They do have a ‘holistic’ responsibility. Legally, for whatever regulatory oversight they may have (adverse event reporting comes to mind) and fiduciary (no one wants their competition to get wind of Customer complaints that can be used against them or inside knowledge of their Customer base).
(My assumption is that the use of a spreadsheet is because they are a smaller company without an ERP system where customer complaints are standard options and are typically very well controlled and safeguarded from alteration and hacking. If they are a company that has ERP software my recommendation is to always avoid things like microsoft solutions as they are ad how and very difficult to control).

 

[Tidge]

Specific to the question of using an electronic form to collect information from a customer and "protecting the integrity of the form", I have a suggestion that should allow sidestepping questions of audit trails and data integrity of the form used by customers:

Transfer the data from the (rather open) form into a more controlled (i.e. closed) system used for complaint management, and as part of the process "handshake" back with the customer (or other filer of the complaint) what information was recorded in the system.