Excel Spreadsheet Validation in GMP: Why FDA Auditors Are Looking Harder in 2026

Walk into almost any GMP-regulated facility in the United States and you’ll find Excel spreadsheets doing serious work. Yield calculations. Out-of-specification investigations. Batch record summaries. Equipment calibration trending. Stability data analysis. The list goes on. And in most cases, those spreadsheets have never been formally validated.

That’s a problem — and FDA auditors in 2026 are becoming significantly less tolerant of it.

Over the past 18 months, we’ve seen a meaningful uptick in Form 483 observations and warning letter language specifically calling out “failure to validate computerized systems used in GMP operations,” with Excel named explicitly in a growing share of those citations. If your quality system still treats spreadsheets as informal tools rather than regulated software, this is the moment to close that gap.

Why Excel Lives in a Regulatory Gray Zone

The confusion is understandable. Microsoft Excel isn’t a QMS platform, an LIMS, or an ERP. It came from the IT world, not the regulatory world, and for years FDA’s enforcement focus on computer system validation (CSV) was directed at larger, more obviously “validated” systems — chromatography data systems, laboratory information management systems, manufacturing execution systems.

But the regulation was never ambiguous. 21 CFR Part 211.68, which has been on the books since 1997, requires that any “automatic, mechanical, or electronic equipment” used in drug manufacturing — including data processing — be “routinely calibrated, inspected, or checked according to a written program designed to assure proper performance.” It doesn’t carve out exceptions for spreadsheets.

21 CFR Part 11 adds another layer. If your spreadsheet creates or modifies electronic records that substitute for paper records, Part 11’s requirements for audit trails, access controls, and data integrity apply. A lot of GMP spreadsheets qualify.

The net effect is that a spreadsheet controlling a batch release decision carries essentially the same regulatory obligation as a validated LIMS module. The scope of validation effort should be proportional to risk — but validation is not optional.

What GAMP5 and 21 CFR Actually Require

GAMP5, the ISPE’s Good Automated Manufacturing Practice guidance (second edition, published 2022), is the industry’s primary framework for risk-based software validation. It organizes software into five categories:

• Category 1: Infrastructure software (operating systems, databases) — no GMP validation required, but qualification of the infrastructure is
• Category 3: Non-configured software used as supplied, with no user modifications to the logic
• Category 4: Configured software — applications where users define parameters, formulas, or workflows
• Category 5: Custom-developed software built specifically for a GMP purpose

Most GMP spreadsheets land squarely in Category 4. When a scientist builds a formula to calculate % recovery, or a quality engineer writes a macro to flag OOS results, they are configuring software to perform a GMP function. GAMP5 is explicit that Category 4 systems require documented requirements, risk assessment, testing, and release.

What does that testing look like in practice? At minimum, FDA and GAMP5 both expect:

1. A documented intended use statement — what the spreadsheet does, what data it processes, and what decisions it informs
2. User requirements specification (URS) — a description of what the spreadsheet must do correctly
3. Risk assessment — an evaluation of what happens if the spreadsheet produces an incorrect result, and how likely that is
4. Functional testing (IQ/OQ equivalent) — documented evidence that formulas, macros, and calculations produce correct outputs across a defined range of inputs, including edge cases
5. Access controls and version control — who can modify the spreadsheet, and how you know which version is the validated one
6. Change control procedure — any modification to a validated spreadsheet triggers re-validation of affected functions

FDA’s 2022 draft guidance on Computer Software Assurance (CSA) doesn’t lower this bar — it shifts emphasis from documentation volume toward testing rigor. The CSA approach says: spend less time writing procedural documents and more time designing meaningful tests. That’s good news for smaller organizations, but it still requires evidence of testing. “We tested it when we built it” is not sufficient.

The 5 Spreadsheet Validation Failures FDA Auditors Catch Most Often

Based on patterns we see during pre-inspection readiness assessments, these are the failures that show up most reliably:

1. No inventory of GMP-critical spreadsheets. If you can’t produce a list of every spreadsheet used in a GMP context — with its validated status, version, and owner — FDA will start pulling on threads. Every spreadsheet found in use during the audit becomes a potential 483 item if it’s not on your list.

2. Formulas that have never been challenged. The spreadsheet works when inputs are “normal.” Nobody has tested what happens when a value is zero, negative, or outside the expected range. Auditors will enter bad data during an inspection. If your spreadsheet silently produces a wrong answer rather than flagging an error, that’s a data integrity issue.

3. Open, unprotected workbooks in shared drives. Unrestricted write access to a GMP spreadsheet is a Part 11 problem and a data integrity problem simultaneously. Any user can modify a formula or overwrite a calculation and save it without a trace.

4. No change history. Version 1, Version 2, “Final,” “Final_v2,” “Final_USE_THIS_ONE” — a pattern every auditor recognizes immediately. Without a formal change control record, you cannot demonstrate that the version in use today is the same validated version that was tested.

5. Treating validation as a one-time event. Spreadsheets drift. Formulas get edited. Columns get added. If your validation record is from 2019 and the spreadsheet has been modified since then without documented re-validation, your validation record is evidence of a different tool — not the one the auditor is looking at.

A Practical Framework for Validating GMP Spreadsheets

The good news: validating a well-scoped spreadsheet doesn’t require a multi-month project. A risk-based approach, aligned with GAMP5 Category 4 expectations, can be executed efficiently if you have the right structure.

Step 1: Build your inventory. Conduct a walkthrough of your GMP operations — manufacturing, QC lab, QA, warehouse — and document every spreadsheet used to make or support a regulated decision. Assign a risk tier (high, medium, low) based on the consequence of a calculation error. A spreadsheet that directly controls a batch disposition decision is high risk. One used for trending purposes only, where a human reviews the underlying data anyway, may be lower risk.

Step 2: Write a one-page validation plan per spreadsheet. For a high-risk spreadsheet, this plan covers scope, validation approach, tester identity, and acceptance criteria. For lower-risk tools, a simplified approach document may suffice. The plan becomes your promise to FDA about what you tested and why.

Step 3: Lock the spreadsheet before you test it. Use Excel’s worksheet protection features to restrict formula editing. Use file permissions or a document management system to control who can save changes. Document the access control configuration as part of your installation qualification. You are validating a specific, locked version — make sure it can’t change without triggering change control.

Step 4: Design tests that challenge the logic, not just confirm it. Don’t only test inputs you know work. Test the boundaries. Test zero values, negative numbers, blank cells, and values that exceed normal ranges. Test that error flags trigger when they should. Document expected results before you run each test — this is what separates a validation test from a demonstration.

Step 5: Execute, document, and retain. Run each test, record the actual result, and compare it to the expected result. Sign and date the test record. Retain it with your validation package. If a test fails, investigate, fix, and re-test — don’t simply delete the failed record.

Step 6: Establish a periodic review cadence. At least annually, confirm that the validated spreadsheet has not been modified, that its access controls are still in place, and that it remains fit for its intended use. Document this review. A one-page periodic review memo takes 30 minutes and closes a common audit gap entirely.

What “Regulatory Compliance Consulting” Actually Adds Here

We’re often brought in by quality teams who know they have a spreadsheet problem but aren’t sure where to start. The most common scenario: an upcoming FDA inspection in 90 days, an inventory of 40+ spreadsheets in GMP use, and a validation program that covers zero of them.

The triage approach — rank by risk, validate the high-risk tools first with full documentation, and create a remediation schedule for the rest — is something experienced regulatory compliance consulting support can accelerate significantly. A team that has done this for dozens of clients across pharmaceutical, medical device, and biotech environments knows which corners can legitimately be cut under a risk-based framework and which ones will get you cited regardless.

The calculation is straightforward. A 483 observation on spreadsheet validation typically results in a corrective action commitment requiring the same validation work you would have done proactively — plus the cost of the response, the follow-up inspection, and the reputational exposure. Front-loading the work is almost always cheaper.

If you’re not sure where your spreadsheet program stands, start with the inventory. That single deliverable tells you more about your validation posture than almost any other diagnostic step. And if what the inventory reveals is uncomfortable — that’s the right time to get help, not after the auditor arrives.

Written by Sam Sammane, Founder & CEO, Aurora TIC | Founder, Qalitex Group. Learn more about our team

Talk to our compliance consultants Contact us

Related from our network

• Laboratory Testing & Quality Systems Support — Qalitex Laboratories provides ISO 17025-accredited testing and quality system support for US manufacturers navigating FDA and GMP requirements.
• GMP Compliance Testing for Canadian Operations — Androxa offers GMP-aligned laboratory testing and Health Canada compliance support for manufacturers operating across the Canadian market.