Learnaboutgmp Community

Supplier Test Protocols


I have carried out a supplier audit, on assessing their very compreshensive test protocols which were in Excel spreadsheets that did not have any security (e.g. locked cells) and the individual test steps were not individually signed-off. There was a tab in the workbook for the information of the tester.

Whilst I don’t believe anything was falsified or not correct, I am used to seeing tests that are approved either by row, or by section and not 100s of lines grouped together.

Is this something that I should raise as a concern, or is it acceptable for a forward thinking software company to use uncontrolled, non-validated spreadsheets as part of official system testing?


I’d say it can’t be considered validated if the security isn’t in place. Part of validation should be to assess the veracity of the data.

Hi Mark –

If these protocols are intended to be used as proof of validation, I would definitely raise it as an issue. Validation protocols serve a GMP purpose in that they provide proof that a particular system or piece of equipment is able to consistently and reliably perform as expected within defined specifications. Therefore, they should be controlled in an appropriate document control system, and be reviewed and approved by the appropriate people to ensure correctness, completeness, and sufficiency for the purpose. Documentation should also provide sufficient evidence that the protocol was executed correctly and completely by a qualified individual, that no steps were skipped, and that expected results and acceptance criteria are met. The initialed and dated steps and hand-written observations on the protocol help provide that. Even better, screen shots or other objective evidence should be provided to show that test criteria were met.

Based on the description you provided, there is no proof that anyone did anything other than type a bunch of stuff into a spreadsheet, perhaps on the day before your visit!

Sometimes the “old-school” way of doing things is still considered best practice. Alternatively, a forward-thinking software company could invest in tools that would let them maintain the necessary control and accountability electronically while eliminating all the manual work.

Is it consistant with their own procedure?
Is your requirement based on a quality agreement with this supplier?
Unless this supplier is pretending to be “Gmp compliant” or any pharma regulation, he does not have to comply with it.
What was the scope/aim of the audit? supplier selection? or else?