The Compliance Problem With Excel Trackers And Other Computational Tools — And How AI Can Help

By Sidharth Ananthanarayan, clinical research and quality professional

Word, Excel, PowerPoint, Outlook, Gmail, and other everyday tools have become ubiquitous in drug development workflows. Excel plays an especially critical role in facilitating trackers, logs, lists, vendor and supplier oversight, data review, data reconciliation, IP shipping, IP tracking, and more. The tools are robust, flexible, and have a low learning curve. However, many teams ignore their one critical risk: compliance.¹

The Problems With These Tools

Initially, these tools are meant for convenience but end up as integral to the process. They start as a data retention tool but end as a critical record without any validation, retention of an audit trail, or record protection. They become the basis for a meeting decision, a submission support activity, a site escalation, a monitoring action, a safety follow-up, or a quality metric. The files are easy to copy, rename, email, overwrite, and store in uncontrolled locations. Formulas can be changed without obvious visibility. Cells can be sorted incorrectly. Data can be pasted over validation rules. Users may share passwords or work from local copies. The “track changes” functionality is not a true 21 CFR Part 11 audit trail, and industry commentary has repeatedly pointed out that it can be incomplete, user-dependent, or vulnerable to manipulation.² Teams also do not account for the control mechanisms and how reliable they are in confirming an activity occurred in a controlled tool that can account for the history and maintain an audit trail. Because there is no certification for these tools in Part 11, as their owners often point out, the regulated organization is the one responsible for how the tool is configured, validated, governed, and used.

What The FDA Says About Part 11 Compliance

In 2003, the FDA published Part 11 guidance that outlines the requirements to maintain records when electronic tools and electronic signatures are used instead of paper-based and wet ink-signed records.^3,4 21 CFR 312.62 says investigators must maintain adequate and accurate case histories and retain required records for the applicable period.⁵ 21 CFR Part 11 describes the controls needed for closed systems, including computer systems validation, accurate and complete copies, record protection and retrieval, access restricted only to authorized users, secure computer-generated and time-stamped audit trails, operational checks, authority checks, device checks, training records, written policies for electronic signatures, and controls over system documentation.^{3, 6, 7.}

In 2024, the FDA reported 692 site investigations and 125 sponsor inspections. In both types of audits, the FDA issued Form 483s in 22.5% and 24.8% of the instances, respectively ^8,9. A Form 483 identifies potential violations, including missing records, missing or inadequate data, data discrepancies, and inadequate validation of electronic systems used to maintain source records. These findings clearly highlight a critical challenge in the use of computational tools for recording, storing, and archiving critical data that must be compliant with 21 CFR Part 11 ^8,9.

Why Custom Software Solutions Aren’t The Answer

Custom-built software meant to fix the Part 11 compliance problem is expensive to build, deploy, and maintain. The solutions require strong expertise, manual hours, and coordination between the sponsor company to translate its requirements into computational language and work with the developers to implement the user requirements. Then, the sponsor must test the tools and confirm they are compliant with Part 11.

Data suggests that a basic SaaS-based MVP is roughly $30,000 to $60,000, a growth-stage product can cost $60,000 to $150,000, and enterprise SaaS with SSO/SAML, audit logging, analytics, custom workflows, and compliance needs costs approximately $150,000 to $250,000 or more. Validation adds an additional layer to the overall cost; full system validation can cost $40,000 to $120,000 per system over six to 12 weeks, including user requirements, validation planning, IQ/OQ/PQ protocols, execution, and summary reporting ^10. A computer system validation (CSV) assessment and road map may cost $15,000 to $25,000, while building an internal CSV program may cost $75,000 to $150,000. In regulated environments, validation is not a paperwork add-on; it is part of the cost of making a tool defensible ^11.

How AI Can Help Computational Tools Comply With Part 11

AI can make a problem visible, reduce the manual burden of remediation, and help organizations move toward better-controlled processes. It enables faster information exchange between the development team and the biotech and pharmaceutical companies. The translation barrier can be easily resolved with the use of AI, as current AI tools can understand the use cases, create action plans for developers to work with, and build the solutions/tools that can assist the biotech and pharmaceutical companies to use. Advanced use of AI can also reduce the time taken in building some of the UI/UX aspects of the tools, complete some of the testing activities to confirm the workflow of the tool meets all the user requirements, and draft validation protocols that can be reviewed and implemented.

Common cases in which AI can make the use of computational tools compliant include:

1. Technical inspection. AI and rule-based analytics can detect hidden sheets, broken formulas, unlocked cells, hard-coded values where formulas are expected, external links, macros, inconsistent ranges, missing data validation, duplicate records, and unusual edits. Spreadsheet risk management tools have existed for years; AI can make them more scalable and easier to use with controlled formulas that can be traced and analyzed. It can also summarize what changed between versions and help reviewers focus on the changes most likely to affect data integrity.
2. Validation support. Validation documentation is one reason spreadsheet control programs fail. User requirements, risk assessments, test scripts, traceability matrices, change impact assessments, and periodic review of records take time. AI can draft validation artifacts from a controlled template and a documented intended use. It can propose test cases for formulas, edge cases, protected cells, and user roles. It can compare executed results against expected results. However, the organization still has to approve the intended use, execute or verify testing, resolve deviations, and retain the evidence.
3. Migration. In many cases, the answer is not to make Excel compliant but to retire it from regulated workflows. AI can help map spreadsheet columns to a validated CTMS, eTMF, EDC, eQMS, safety, RTSM, or data review platform. It can identify duplicate trackers, reconcile values, generate migration rules, and flag records needing human review. This is where AI may produce the greatest compliance value - not by polishing the spreadsheet but by helping teams escape spreadsheet sprawl.
4. Building a tool for commercial use. In cases when a sponsor company needs to work with a SaaS company for a custom tool, but the workflow is highly technical, the advanced AI can assist with translating the technical details, such as matching criteria, randomization requirements, blinded IP disbursement, and chain of custody for IP dispositions. These details can be turned into workflows or algorithms that are technically strong and can be easily replicated into code for developing the tool. This reduces the time taken to gather the requirements and understand the user requirements.

Recent software engineering studies report that AI-assisted software programmers can complete a JavaScript programming task 55.8% faster than without the use of AI ^12. Another study suggests that the use of AI tools can improve the efficiency of software engineering by 20%-45% and improve overall gains 20%-30% with workflow design and software development ^13,14,15. When these efficiencies are considered, the complete development of Part 11 compliant tools can decrease by $30,000 to $80,000 per system. The validation process costs could also be improved with faster validation protocol development, planning, execution, and summarizing findings for CSV paperwork.

AI Is A Catalyst, But It Has Its Limits

The use of AI introduces its own governance obligations. The FDA’s 2025 draft guidance on AI for drug and biological product regulatory decision-making proposes a risk-based credibility framework tied to a model’s context of use ^16. The EMA’s 2024 reflection paper on AI in the medicinal product life cycle similarly stresses data quality, bias, transparency, and risk-based governance ^17. Even if an AI tool is used for compliance operations rather than directly generating clinical evidence, the same logic applies. Teams need to define what the AI tool does, what decisions it supports, what the consequences of error are, how it is validated or qualified, how performance is monitored, and how outputs are reviewed.

With the use of AI, the danger is replacing one uncontrolled tool with another. If a study team uses an AI assistant to “review” files but does not document prompts, outputs, review decisions, model limitations, or approval steps, the compliance problem has merely changed its form. If validation documents generated using AI are accepted without expert review, the organization would have enabled a critical flaw, not efficacy. If an AI tool classifies spreadsheets incorrectly and teams rely on that classification without oversight, the risk remains the same, and the organizations would be accountable.

To leverage the AI tools to full advantage, the following steps must be considered: first, define the regulated use conditions and establish policies that provide instructions to the teams to use the AI tools appropriately; second, establish procedures to be followed, along with templates to document the use of AI tools; and last, implement frequent check-ins and document them to ensure the use of AI tools is compliant and is not creating any gaps.

The answer to the Part 11 problem is AI with governance; AI-based tools can make the process faster, broader, and more consistent. But compliance will still depend on old-fashioned fundamentals: intended use, risk assessment, validation, access control, auditability, record retention, training, change control, and documented human judgment.

References:

1. ScienceDirect, Data integrity issues in pharmaceutical industry: Common observations, challenges and mitigations strategies (https://www.sciencedirect.com/science/article/pii/S0378517322010584), International Journal of Pharmaceutics, 2023.
2. Ofni Systems, Problems Using MS Excel Track Changes as an Audit Trail (https://www.ofnisystems.com/services/validation/validation-resources/problems-using-ms-excel-track-changes-as-an-audit-trail/).
3. FDA, Part 11, Electronic Records; Electronic Signatures: Scope and Application (https://www.fda.gov/regulatory-information/search-fda-guidance-documents/part-11-electronic-records-electronic-signatures-scope-and-application), September 2003.
4. FDA, Electronic Systems, Electronic Records, and Electronic Signatures in Clinical Investigations: Questions and Answers (https://www.fda.gov/regulatory-information/search-fda-guidance-documents/electronic-systems-electronic-records-and-electronic-signatures-clinical-investigations-questions), October 2024.
5. 21 CFR 312.62, Investigator recordkeeping and record retention (https://www.law.cornell.edu/cfr/text/21/312.62), Legal Information Institute.
6. 21 CFR 11.10, Controls for closed systems (https://www.law.cornell.edu/cfr/text/21/11.10), Legal Information Institute.
7. Microsoft Learn, Food and Drug Administration CFR Title 21 Part 11 (https://learn.microsoft.com/en-us/compliance/regulatory/offering-fda-cfr-title-21-part-11), updated 2025.
8. FDA, FY2024 Clinical Investigator FDA 483 Observation Trends: https://www.fda.gov/media/191649/download
9. FDA, FY2024 Sponsor FDA 483 Observation Trends: https://www.fda.gov/media/191652/download
10. ZTABS, Healthcare Software Development Cost Guide: https://ztabs.co/cost/healthcare-software
11. IntuitionLabs, Computer System Validation Services: https://intuitionlabs.ai/services/computer-system-validation
12. Microsoft Research, “The Impact of AI on Developer Productivity: Evidence from GitHub Copilot”: https://www.microsoft.com/en-us/research/publication/the-impact-of-ai-on-developer-productivity-evidence-from-github-copilot/
13. McKinsey, “The economic potential of generative AI”: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/the-economic-potential-of-generative-AI-the-next-productivity-frontier
14. McKinsey, “A CIO and CTO technology guide to generative AI”: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/technologys-generational-moment-with-generative-ai-a-cio-and-cto-guide
15. Bain & Company, “Beyond Code Generation: More Efficient Software Development”: https://www.bain.com/insights/beyond-code-generation-more-efficient-software-development-tech-report-2024/
16. FDA, Considerations for the Use of Artificial Intelligence to Support Regulatory Decision-Making for Drug and Biological Products (https://www.fda.gov/regulatory-information/search-fda-guidance-documents/considerations-use-artificial-intelligence-support-regulatory-decision-making-drug-and-biological), draft guidance, January 2025.
17. EMA, Reflection paper on the use of Artificial Intelligence in the medicinal product lifecycle (https://www.ema.europa.eu/en/use-artificial-intelligence-ai-medicinal-product-lifecycle), adopted September 2024.

About The Author:

Sidharth Ananthanarayan is a clinical research and quality professional with a doctoral degree in business administration. He has contributed to multiple clinical development programs, supporting cell therapy products for oncology, autoimmune, and neurological indications, and has worked in operations, computer system validation, regulatory compliance, AI quality strategy, and cross-functional collaboration in regulated environments. Sidharth has also contributed to initiatives focused on improving operational processes and supporting quality-driven decision making throughout the clinical research lifecycle. In addition, he engages with the professional community through networking, knowledge sharing, and research-related activities.