Spreadsheet Validation Case Study: Closing a GMP Audit Finding at a Small Molecule CDMO

Results Snapshot
A small molecule contract manufacturer engaged Terraforme Biosciences after an audit finding highlighted uncontrolled spreadsheet use in GxP workflows. We helped the team move from internal debate to a defensible, risk-based program that regulators and quality teams can stand behind.
- Completed a site-wide inventory of spreadsheet usage across production and QC workflows
- Classified spreadsheets using the GAMP 5 framework (including higher risk treatment where macros were involved)
- Implemented “quick-fix” controls for low-risk spreadsheets to reduce validation burden while improving compliance
- Fully qualified critical production and QC calculators using a computerized system validation approach (URS through testing and release)
- Delivered an audit-ready response package and embedded ongoing controls into the client’s QMS via SOPs and policy
Client Context
The client was a small molecule contract manufacturer (CDMO) operating under GMP expectations with both manufacturing and QC laboratory functions. Like many regulated sites, teams relied on spreadsheets because they are fast, flexible, and familiar, especially for calculations, tracking, and intermediate decision-making. The audit finding created urgency, but the bigger challenge was clarity: different stakeholders had different interpretations of what “spreadsheet validation” should mean, what level of control was reasonable, and how to respond without creating unnecessary bureaucracy or disrupting operations.

The challenge
Spreadsheets feel simple, but when they are used to manipulate, transform, or calculate GxP data, they can become a computerized system with real compliance implications. Under GAMP 5, spreadsheets are commonly treated as Category 4 tools, and can move toward Category 5 when macros and more complex logic are introduced. That framing often surprises operations and quality teams and can lead to audit findings when spreadsheets are unmanaged. This client also faced a practical problem that shows up repeatedly in GMP environments: when is a spreadsheet “just a document,” and when is it effectively “software”? Without a consistent rule set, teams can overreact (trying to validate everything) or underreact (treating high-impact calculators as informal tools). The audit finding forced a decision, and there was internal disagreement on the right path forward, both in approach and in the wording of the response.
What We Did
Terraforme Biosciences worked with the client to move from uncertainty to a structured, risk-based program
- Mapped workflows and performed an inventory of where spreadsheets were being used, by function and by use-case (manufacturing, QC calculations, tracking tools, review aids, etc.)
- Categorized each spreadsheet using the GAMP 5 lens, including identifying spreadsheets with macros or complex logic that warranted tighter control
- Performed a risk assessment for each identified spreadsheet, focusing on GxP impact, data integrity risk, likelihood of error, detectability, and business consequence
- Identified quick wins where spreadsheets could be controlled as documents without extensive validation (for example, printing or locking formula logic for review/filing, tightening version control, and standardizing templates)
- Flagged critical calculators used in production and QC where spreadsheets were functioning as a computerized system performing GxP calculations
- For those higher-risk spreadsheets, executed a qualification program:
- Collected User Requirements Specifications (URS)
- Confirmed configuration controls and change control expectations
- Developed validation protocols to test controls
- Built testing and traceability to show requirements were met
- Implemented controls to reduce unauthorized editing (locked structure, controlled access, controlled versions)
- Supported the client in drafting a clear, defensible audit response, and implemented ongoing governance through QMS policy/SOP updates and training
The Approach
Our approach balanced compliance expectations with operational reality. We kept the program grounded in three principles
- Risk-based control (not “validate everything”)
- We focused effort where spreadsheets had real GxP impact, especially where errors could affect product quality, release decisions, or data integrity.
- Define the boundary between document vs software
- We helped the team adopt a consistent decision framework: if a spreadsheet is performing automated logic on GxP data and the output drives decisions, it should be treated with a higher level of control than a static reference document.
- Make it sustainable inside the QMS
- The goal wasn’t a one-time audit fix. We embedded spreadsheet expectations into policies, SOPs, and training so the program could be maintained through normal document control and change control.
Deliverables
- Spreadsheet inventory register tied to workflows and functional owners
- GAMP 5 categorization rationale and risk-ranking model for spreadsheet use cases
- Spreadsheet risk assessment templates and completed assessments for identified tools
- “Quick control” package for low-risk spreadsheets (versioning, review expectations, documentation approach)
- Qualification package for critical calculators, including:
- URS / intended use statements
- Test script development guidelines and objective evidence of testing
- Traceability (requirements-to-testing linkage)
- Release and controlled deployment approach
- Spreadsheet governance SOP / policy integrated into the client’s QMS
- Audit response support package and implementation plan
- Training content to align Quality, Operations, and QC on the new expectation
Lessons Learned
Spreadsheets become regulated systems faster than most teams expect. When spreadsheets perform calculations or transformations on GxP data—and the output drives decisions—they need more than informal “good practice.” Clear intended use, control, and evidence matter.
The best programs combine quick wins with targeted validation. Many spreadsheet risks can be reduced rapidly through smart controls (standard templates, version control, locking, documented logic). Reserve full qualification effort for truly critical tools.
Alignment is half the work. Internal disagreement is common because spreadsheets sit at the intersection of Quality, Operations, and IT thinking. A shared framework turns debate into action and makes the audit response easier to defend.

Ready To Grow?
Terraforme Biosciences can help you build clarity, reduce risk, and execute with confidence. Book a discovery call to discuss your goals, timeline, and what “good” looks like for your team—and whether we’re the right fit to support the work.



